Edit tour

Windows Analysis Report
SplashWin.exe

Overview

General Information

Sample name:	SplashWin.exe
Analysis ID:	1615441
MD5:	a3804610095a93b48084e2a078fef974
SHA1:	c6d7ac027c2533fa2a6ca90bc5473d9daed62702
SHA256:	916c3342528c9b7c826e55482e2dca94b85b3eb11684f968bfbbc7c5fd46e3c9
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RedLine Stealer

Connects to a pastebin service (likely for C&C)

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64native

SplashWin.exe (PID: 7248 cmdline: "C:\Users\user\Desktop\SplashWin.exe" MD5: A3804610095A93B48084E2A078FEF974)

more.com (PID: 1824 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)

conhost.exe (PID: 1692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

MSBuild.exe (PID: 3372 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

IbConsole.exe (PID: 444 cmdline: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe MD5: A3804610095A93B48084E2A078FEF974)

more.com (PID: 6876 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)

conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

MSBuild.exe (PID: 5212 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\srva	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\beo	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\beo	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\srva	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\beo	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb5026:$s14: keybd_event 0xbbf88:$v1_1: grabber@ 0xb5be2:$v1_2: <BrowserProfile>k__ 0xb666f:$v1_3: <SystemHardwares>k__ 0xb672e:$v1_5: <ScannedWallets>k__ 0xb67be:$v1_6: <DicrFiles>k__ 0xb679a:$v1_7: <MessageClientFiles>k__ 0xb6b64:$v1_8: <ScanBrowsers>k__BackingField 0xb6bb6:$v1_8: <ScanWallets>k__BackingField 0xb6bd3:$v1_8: <ScanScreen>k__BackingField 0xb6c0d:$v1_8: <ScanVPN>k__BackingField 0xa8542:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa7e4e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\srva	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb5026:$s14: keybd_event 0xbbf88:$v1_1: grabber@ 0xb5be2:$v1_2: <BrowserProfile>k__ 0xb666f:$v1_3: <SystemHardwares>k__ 0xb672e:$v1_5: <ScannedWallets>k__ 0xb67be:$v1_6: <DicrFiles>k__ 0xb679a:$v1_7: <MessageClientFiles>k__ 0xb6b64:$v1_8: <ScanBrowsers>k__BackingField 0xb6bb6:$v1_8: <ScanWallets>k__BackingField 0xb6bd3:$v1_8: <ScanScreen>k__BackingField 0xb6c0d:$v1_8: <ScanVPN>k__BackingField 0xa8542:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa7e4e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.124263973700.00000000053F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.124263973700.00000000053F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000002.124262503392.0000000001102000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.124262503392.0000000001102000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.125357093809.0000000006064000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.124227499563.0000000005250000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.124227499563.0000000005250000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: more.com PID: 1824	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: more.com PID: 1824	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: more.com PID: 6876	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: more.com PID: 6876	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 3372	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 3372	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5212	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5212	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.more.com.52500c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.more.com.52500c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.more.com.52500c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb5026:$s14: keybd_event 0xbbf88:$v1_1: grabber@ 0xb5be2:$v1_2: <BrowserProfile>k__ 0xb666f:$v1_3: <SystemHardwares>k__ 0xb672e:$v1_5: <ScannedWallets>k__ 0xb67be:$v1_6: <DicrFiles>k__ 0xb679a:$v1_7: <MessageClientFiles>k__ 0xb6b64:$v1_8: <ScanBrowsers>k__BackingField 0xb6bb6:$v1_8: <ScanWallets>k__BackingField 0xb6bd3:$v1_8: <ScanScreen>k__BackingField 0xb6c0d:$v1_8: <ScanVPN>k__BackingField 0xa8542:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa7e4e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
6.2.more.com.53f00c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.more.com.53f00c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.more.com.53f00c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb5026:$s14: keybd_event 0xbbf88:$v1_1: grabber@ 0xb5be2:$v1_2: <BrowserProfile>k__ 0xb666f:$v1_3: <SystemHardwares>k__ 0xb672e:$v1_5: <ScannedWallets>k__ 0xb67be:$v1_6: <DicrFiles>k__ 0xb679a:$v1_7: <MessageClientFiles>k__ 0xb6b64:$v1_8: <ScanBrowsers>k__BackingField 0xb6bb6:$v1_8: <ScanWallets>k__BackingField 0xb6bd3:$v1_8: <ScanScreen>k__BackingField 0xb6c0d:$v1_8: <ScanVPN>k__BackingField 0xa8542:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa7e4e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
2.2.more.com.52500c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.more.com.52500c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.more.com.52500c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb3226:$s14: keybd_event 0xba188:$v1_1: grabber@ 0xb3de2:$v1_2: <BrowserProfile>k__ 0xb486f:$v1_3: <SystemHardwares>k__ 0xb492e:$v1_5: <ScannedWallets>k__ 0xb49be:$v1_6: <DicrFiles>k__ 0xb499a:$v1_7: <MessageClientFiles>k__ 0xb4d64:$v1_8: <ScanBrowsers>k__BackingField 0xb4db6:$v1_8: <ScanWallets>k__BackingField 0xb4dd3:$v1_8: <ScanScreen>k__BackingField 0xb4e0d:$v1_8: <ScanVPN>k__BackingField 0xa6742:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa604e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
6.2.more.com.53f00c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.more.com.53f00c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.more.com.53f00c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb3226:$s14: keybd_event 0xba188:$v1_1: grabber@ 0xb3de2:$v1_2: <BrowserProfile>k__ 0xb486f:$v1_3: <SystemHardwares>k__ 0xb492e:$v1_5: <ScannedWallets>k__ 0xb49be:$v1_6: <DicrFiles>k__ 0xb499a:$v1_7: <MessageClientFiles>k__ 0xb4d64:$v1_8: <ScanBrowsers>k__BackingField 0xb4db6:$v1_8: <ScanWallets>k__BackingField 0xb4dd3:$v1_8: <ScanScreen>k__BackingField 0xb4e0d:$v1_8: <ScanVPN>k__BackingField 0xa6742:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa604e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
9.2.MSBuild.exe.1100000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.MSBuild.exe.1100000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.MSBuild.exe.1100000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb5026:$s14: keybd_event 0xbbf88:$v1_1: grabber@ 0xb5be2:$v1_2: <BrowserProfile>k__ 0xb666f:$v1_3: <SystemHardwares>k__ 0xb672e:$v1_5: <ScannedWallets>k__ 0xb67be:$v1_6: <DicrFiles>k__ 0xb679a:$v1_7: <MessageClientFiles>k__ 0xb6b64:$v1_8: <ScanBrowsers>k__BackingField 0xb6bb6:$v1_8: <ScanWallets>k__BackingField 0xb6bd3:$v1_8: <ScanScreen>k__BackingField 0xb6c0d:$v1_8: <ScanVPN>k__BackingField 0xa8542:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa7e4e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
Click to see the 10 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T21:40:15.408305+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49771	92.255.85.36	9000	TCP
2025-02-14T21:40:15.994620+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49772	92.255.85.36	9000	TCP
2025-02-14T21:40:16.562212+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49773	92.255.85.36	9000	TCP
2025-02-14T21:40:17.146665+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49774	92.255.85.36	9000	TCP
2025-02-14T21:40:17.716521+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49775	92.255.85.36	9000	TCP
2025-02-14T21:40:21.045183+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49776	92.255.85.36	9000	TCP
2025-02-14T21:40:21.612733+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49777	92.255.85.36	9000	TCP
2025-02-14T21:40:22.752550+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49778	92.255.85.36	9000	TCP
2025-02-14T21:40:23.355298+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49779	92.255.85.36	9000	TCP
2025-02-14T21:40:23.936945+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49780	92.255.85.36	9000	TCP
2025-02-14T21:40:24.510629+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49781	92.255.85.36	9000	TCP
2025-02-14T21:40:25.128237+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49782	92.255.85.36	9000	TCP
2025-02-14T21:40:25.676987+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49783	92.255.85.36	9000	TCP
2025-02-14T21:40:27.280529+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49784	92.255.85.36	9000	TCP
2025-02-14T21:40:27.857853+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49785	92.255.85.36	9000	TCP
2025-02-14T21:40:28.966077+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49786	92.255.85.36	9000	TCP
2025-02-14T21:40:29.541697+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49787	92.255.85.36	9000	TCP
2025-02-14T21:40:30.145993+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49788	92.255.85.36	9000	TCP
2025-02-14T21:40:30.712660+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49789	92.255.85.36	9000	TCP
2025-02-14T21:40:31.268713+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49790	92.255.85.36	9000	TCP
2025-02-14T21:40:31.801664+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49791	92.255.85.36	9000	TCP
2025-02-14T21:40:32.336777+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49792	92.255.85.36	9000	TCP
2025-02-14T21:40:32.916393+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49793	92.255.85.36	9000	TCP
2025-02-14T21:40:37.155282+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49794	92.255.85.36	9000	TCP
2025-02-14T21:40:37.758017+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49795	92.255.85.36	9000	TCP
2025-02-14T21:40:38.370951+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49796	92.255.85.36	9000	TCP
2025-02-14T21:40:38.948475+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49797	92.255.85.36	9000	TCP
2025-02-14T21:40:39.535776+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49799	92.255.85.36	9000	TCP
2025-02-14T21:40:40.126010+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49800	92.255.85.36	9000	TCP
2025-02-14T21:40:40.695222+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49801	92.255.85.36	9000	TCP
2025-02-14T21:40:41.308085+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49802	92.255.85.36	9000	TCP
2025-02-14T21:40:41.881618+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49803	92.255.85.36	9000	TCP
2025-02-14T21:40:42.474602+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49804	92.255.85.36	9000	TCP
2025-02-14T21:40:43.031401+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49805	92.255.85.36	9000	TCP
2025-02-14T21:40:43.648754+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49806	92.255.85.36	9000	TCP
2025-02-14T21:40:44.201570+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49807	92.255.85.36	9000	TCP
2025-02-14T21:40:44.798639+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49808	92.255.85.36	9000	TCP
2025-02-14T21:40:45.332906+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49809	92.255.85.36	9000	TCP
2025-02-14T21:40:45.950756+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49810	92.255.85.36	9000	TCP
2025-02-14T21:40:46.520947+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49811	92.255.85.36	9000	TCP
2025-02-14T21:40:47.121811+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49812	92.255.85.36	9000	TCP
2025-02-14T21:40:47.693696+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49813	92.255.85.36	9000	TCP
2025-02-14T21:40:48.274516+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49814	92.255.85.36	9000	TCP
2025-02-14T21:40:48.885214+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49815	92.255.85.36	9000	TCP
2025-02-14T21:40:49.435820+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49816	92.255.85.36	9000	TCP
2025-02-14T21:40:49.973415+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49817	92.255.85.36	9000	TCP
2025-02-14T21:40:50.574649+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49818	92.255.85.36	9000	TCP
2025-02-14T21:40:51.125015+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49819	92.255.85.36	9000	TCP
2025-02-14T21:40:51.701292+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49820	92.255.85.36	9000	TCP
2025-02-14T21:40:52.278321+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49821	92.255.85.36	9000	TCP
2025-02-14T21:40:52.882069+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49822	92.255.85.36	9000	TCP
2025-02-14T21:40:53.449352+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49823	92.255.85.36	9000	TCP
2025-02-14T21:40:54.028160+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49824	92.255.85.36	9000	TCP
2025-02-14T21:40:54.561754+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49825	92.255.85.36	9000	TCP
2025-02-14T21:40:55.117213+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49826	92.255.85.36	9000	TCP
2025-02-14T21:40:55.691287+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49827	92.255.85.36	9000	TCP
2025-02-14T21:40:56.300566+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49828	92.255.85.36	9000	TCP
2025-02-14T21:40:57.427279+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49829	92.255.85.36	9000	TCP
2025-02-14T21:40:58.014202+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49830	92.255.85.36	9000	TCP
2025-02-14T21:40:58.590320+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49831	92.255.85.36	9000	TCP
2025-02-14T21:40:59.160136+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49832	92.255.85.36	9000	TCP
2025-02-14T21:40:59.803428+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49833	92.255.85.36	9000	TCP
2025-02-14T21:41:00.400628+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49834	92.255.85.36	9000	TCP
2025-02-14T21:41:00.986573+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49835	92.255.85.36	9000	TCP
2025-02-14T21:41:01.552589+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49836	92.255.85.36	9000	TCP
2025-02-14T21:41:02.105425+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49837	92.255.85.36	9000	TCP
2025-02-14T21:41:02.662359+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49838	92.255.85.36	9000	TCP
2025-02-14T21:41:04.247517+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49839	92.255.85.36	9000	TCP
2025-02-14T21:41:04.845479+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49840	92.255.85.36	9000	TCP
2025-02-14T21:41:05.432410+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49841	92.255.85.36	9000	TCP
2025-02-14T21:41:06.051525+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49842	92.255.85.36	9000	TCP
2025-02-14T21:41:06.613558+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49843	92.255.85.36	9000	TCP
2025-02-14T21:41:07.152401+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49844	92.255.85.36	9000	TCP
2025-02-14T21:41:07.698771+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49845	92.255.85.36	9000	TCP
2025-02-14T21:41:08.237240+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49846	92.255.85.36	9000	TCP
2025-02-14T21:41:08.812287+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49847	92.255.85.36	9000	TCP
2025-02-14T21:41:09.406950+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49848	92.255.85.36	9000	TCP
2025-02-14T21:41:09.961233+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49849	92.255.85.36	9000	TCP
2025-02-14T21:41:10.530338+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49850	92.255.85.36	9000	TCP
2025-02-14T21:41:11.086572+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49851	92.255.85.36	9000	TCP
2025-02-14T21:41:11.669152+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49852	92.255.85.36	9000	TCP
2025-02-14T21:41:12.253055+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49853	92.255.85.36	9000	TCP
2025-02-14T21:41:12.815248+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49854	92.255.85.36	9000	TCP
2025-02-14T21:41:13.409885+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49855	92.255.85.36	9000	TCP
2025-02-14T21:41:14.005770+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49856	92.255.85.36	9000	TCP
2025-02-14T21:41:14.555130+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49857	92.255.85.36	9000	TCP
2025-02-14T21:41:15.123119+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49858	92.255.85.36	9000	TCP
2025-02-14T21:41:15.679304+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49859	92.255.85.36	9000	TCP
2025-02-14T21:41:16.217304+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49860	92.255.85.36	9000	TCP
2025-02-14T21:41:16.783757+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49861	92.255.85.36	9000	TCP
2025-02-14T21:41:17.353668+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49862	92.255.85.36	9000	TCP
2025-02-14T21:41:17.933778+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49863	92.255.85.36	9000	TCP
2025-02-14T21:41:18.538811+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49864	92.255.85.36	9000	TCP
2025-02-14T21:41:20.147957+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49865	92.255.85.36	9000	TCP
2025-02-14T21:41:20.703530+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49866	92.255.85.36	9000	TCP
2025-02-14T21:41:22.302533+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49867	92.255.85.36	9000	TCP
2025-02-14T21:41:22.849409+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49868	92.255.85.36	9000	TCP
2025-02-14T21:41:23.485737+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49869	92.255.85.36	9000	TCP
2025-02-14T21:41:24.037018+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49870	92.255.85.36	9000	TCP
2025-02-14T21:41:24.625810+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49871	92.255.85.36	9000	TCP
2025-02-14T21:41:25.218117+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49872	92.255.85.36	9000	TCP
2025-02-14T21:41:25.771141+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49873	92.255.85.36	9000	TCP
2025-02-14T21:41:26.339689+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49874	92.255.85.36	9000	TCP
2025-02-14T21:41:26.937223+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49875	92.255.85.36	9000	TCP
2025-02-14T21:41:27.499792+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49876	92.255.85.36	9000	TCP
2025-02-14T21:41:28.070557+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49877	92.255.85.36	9000	TCP
2025-02-14T21:41:28.706101+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49878	92.255.85.36	9000	TCP
2025-02-14T21:41:29.278648+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49879	92.255.85.36	9000	TCP
2025-02-14T21:41:29.867020+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49880	92.255.85.36	9000	TCP
2025-02-14T21:41:30.476574+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49881	92.255.85.36	9000	TCP
2025-02-14T21:41:31.048582+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49882	92.255.85.36	9000	TCP
2025-02-14T21:41:31.623811+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49883	92.255.85.36	9000	TCP
2025-02-14T21:41:32.225188+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49884	92.255.85.36	9000	TCP
2025-02-14T21:41:32.771203+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49885	92.255.85.36	9000	TCP
2025-02-14T21:41:33.363594+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49886	92.255.85.36	9000	TCP
2025-02-14T21:41:34.716552+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49890	92.255.85.36	9000	TCP
2025-02-14T21:41:38.652507+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49891	92.255.85.36	9000	TCP
2025-02-14T21:41:39.315057+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49894	92.255.85.36	9000	TCP
2025-02-14T21:41:39.852496+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49896	92.255.85.36	9000	TCP
2025-02-14T21:41:40.609073+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49898	92.255.85.36	9000	TCP
2025-02-14T21:41:41.619160+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49901	92.255.85.36	9000	TCP
2025-02-14T21:41:42.406379+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49903	92.255.85.36	9000	TCP
2025-02-14T21:41:44.012276+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49904	92.255.85.36	9000	TCP
2025-02-14T21:41:44.586771+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49907	92.255.85.36	9000	TCP
2025-02-14T21:41:45.286605+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49910	92.255.85.36	9000	TCP
2025-02-14T21:41:45.901834+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49912	92.255.85.36	9000	TCP
2025-02-14T21:41:46.852352+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49915	92.255.85.36	9000	TCP
2025-02-14T21:41:47.413378+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49917	92.255.85.36	9000	TCP
2025-02-14T21:41:47.959715+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49919	92.255.85.36	9000	TCP
2025-02-14T21:41:48.657314+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49921	92.255.85.36	9000	TCP
2025-02-14T21:41:52.064942+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49923	92.255.85.36	9000	TCP
2025-02-14T21:41:52.756458+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49925	92.255.85.36	9000	TCP
2025-02-14T21:41:53.334416+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49927	92.255.85.36	9000	TCP
2025-02-14T21:41:53.927508+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49929	92.255.85.36	9000	TCP
2025-02-14T21:41:54.503549+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49931	92.255.85.36	9000	TCP
2025-02-14T21:41:55.061164+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49933	92.255.85.36	9000	TCP
2025-02-14T21:41:56.045945+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49936	92.255.85.36	9000	TCP
2025-02-14T21:41:57.187377+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49939	92.255.85.36	9000	TCP
2025-02-14T21:41:57.904047+0100	2052248	1	A Network Trojan was detected	192.168.11.20	49941	92.255.85.36	9000	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-14T21:40:16.562212+0100	2803305	3	Unknown Traffic	192.168.11.20	49773	92.255.85.36	9000	TCP
2025-02-14T21:40:21.612733+0100	2803305	3	Unknown Traffic	192.168.11.20	49777	92.255.85.36	9000	TCP
2025-02-14T21:40:23.355298+0100	2803305	3	Unknown Traffic	192.168.11.20	49779	92.255.85.36	9000	TCP
2025-02-14T21:40:23.936945+0100	2803305	3	Unknown Traffic	192.168.11.20	49780	92.255.85.36	9000	TCP
2025-02-14T21:40:24.510629+0100	2803305	3	Unknown Traffic	192.168.11.20	49781	92.255.85.36	9000	TCP
2025-02-14T21:40:27.280529+0100	2803305	3	Unknown Traffic	192.168.11.20	49784	92.255.85.36	9000	TCP
2025-02-14T21:40:31.801664+0100	2803305	3	Unknown Traffic	192.168.11.20	49791	92.255.85.36	9000	TCP
2025-02-14T21:40:37.758017+0100	2803305	3	Unknown Traffic	192.168.11.20	49795	92.255.85.36	9000	TCP
2025-02-14T21:40:41.308085+0100	2803305	3	Unknown Traffic	192.168.11.20	49802	92.255.85.36	9000	TCP
2025-02-14T21:40:49.435820+0100	2803305	3	Unknown Traffic	192.168.11.20	49816	92.255.85.36	9000	TCP
2025-02-14T21:40:51.125015+0100	2803305	3	Unknown Traffic	192.168.11.20	49819	92.255.85.36	9000	TCP
2025-02-14T21:40:52.882069+0100	2803305	3	Unknown Traffic	192.168.11.20	49822	92.255.85.36	9000	TCP
2025-02-14T21:40:58.590320+0100	2803305	3	Unknown Traffic	192.168.11.20	49831	92.255.85.36	9000	TCP
2025-02-14T21:40:59.803428+0100	2803305	3	Unknown Traffic	192.168.11.20	49833	92.255.85.36	9000	TCP
2025-02-14T21:41:01.552589+0100	2803305	3	Unknown Traffic	192.168.11.20	49836	92.255.85.36	9000	TCP
2025-02-14T21:41:02.105425+0100	2803305	3	Unknown Traffic	192.168.11.20	49837	92.255.85.36	9000	TCP
2025-02-14T21:41:04.247517+0100	2803305	3	Unknown Traffic	192.168.11.20	49839	92.255.85.36	9000	TCP
2025-02-14T21:41:06.051525+0100	2803305	3	Unknown Traffic	192.168.11.20	49842	92.255.85.36	9000	TCP
2025-02-14T21:41:06.613558+0100	2803305	3	Unknown Traffic	192.168.11.20	49843	92.255.85.36	9000	TCP
2025-02-14T21:41:07.698771+0100	2803305	3	Unknown Traffic	192.168.11.20	49845	92.255.85.36	9000	TCP
2025-02-14T21:41:10.530338+0100	2803305	3	Unknown Traffic	192.168.11.20	49850	92.255.85.36	9000	TCP
2025-02-14T21:41:12.253055+0100	2803305	3	Unknown Traffic	192.168.11.20	49853	92.255.85.36	9000	TCP
2025-02-14T21:41:14.005770+0100	2803305	3	Unknown Traffic	192.168.11.20	49856	92.255.85.36	9000	TCP
2025-02-14T21:41:14.555130+0100	2803305	3	Unknown Traffic	192.168.11.20	49857	92.255.85.36	9000	TCP
2025-02-14T21:41:15.123119+0100	2803305	3	Unknown Traffic	192.168.11.20	49858	92.255.85.36	9000	TCP
2025-02-14T21:41:16.217304+0100	2803305	3	Unknown Traffic	192.168.11.20	49860	92.255.85.36	9000	TCP
2025-02-14T21:41:16.783757+0100	2803305	3	Unknown Traffic	192.168.11.20	49861	92.255.85.36	9000	TCP
2025-02-14T21:41:18.538811+0100	2803305	3	Unknown Traffic	192.168.11.20	49864	92.255.85.36	9000	TCP
2025-02-14T21:41:25.218117+0100	2803305	3	Unknown Traffic	192.168.11.20	49872	92.255.85.36	9000	TCP
2025-02-14T21:41:25.771141+0100	2803305	3	Unknown Traffic	192.168.11.20	49873	92.255.85.36	9000	TCP
2025-02-14T21:41:26.339689+0100	2803305	3	Unknown Traffic	192.168.11.20	49874	92.255.85.36	9000	TCP
2025-02-14T21:41:27.499792+0100	2803305	3	Unknown Traffic	192.168.11.20	49876	92.255.85.36	9000	TCP
2025-02-14T21:41:29.278648+0100	2803305	3	Unknown Traffic	192.168.11.20	49879	92.255.85.36	9000	TCP
2025-02-14T21:41:32.225188+0100	2803305	3	Unknown Traffic	192.168.11.20	49884	92.255.85.36	9000	TCP
2025-02-14T21:41:38.652507+0100	2803305	3	Unknown Traffic	192.168.11.20	49891	92.255.85.36	9000	TCP
2025-02-14T21:41:39.315057+0100	2803305	3	Unknown Traffic	192.168.11.20	49894	92.255.85.36	9000	TCP
2025-02-14T21:41:39.852496+0100	2803305	3	Unknown Traffic	192.168.11.20	49896	92.255.85.36	9000	TCP
2025-02-14T21:41:40.609073+0100	2803305	3	Unknown Traffic	192.168.11.20	49898	92.255.85.36	9000	TCP
2025-02-14T21:41:41.619160+0100	2803305	3	Unknown Traffic	192.168.11.20	49901	92.255.85.36	9000	TCP
2025-02-14T21:41:42.406379+0100	2803305	3	Unknown Traffic	192.168.11.20	49903	92.255.85.36	9000	TCP
2025-02-14T21:41:44.012276+0100	2803305	3	Unknown Traffic	192.168.11.20	49904	92.255.85.36	9000	TCP
2025-02-14T21:41:44.586771+0100	2803305	3	Unknown Traffic	192.168.11.20	49907	92.255.85.36	9000	TCP
2025-02-14T21:41:45.286605+0100	2803305	3	Unknown Traffic	192.168.11.20	49910	92.255.85.36	9000	TCP
2025-02-14T21:41:45.901834+0100	2803305	3	Unknown Traffic	192.168.11.20	49912	92.255.85.36	9000	TCP
2025-02-14T21:41:46.852352+0100	2803305	3	Unknown Traffic	192.168.11.20	49915	92.255.85.36	9000	TCP
2025-02-14T21:41:47.413378+0100	2803305	3	Unknown Traffic	192.168.11.20	49917	92.255.85.36	9000	TCP
2025-02-14T21:41:47.959715+0100	2803305	3	Unknown Traffic	192.168.11.20	49919	92.255.85.36	9000	TCP
2025-02-14T21:41:48.657314+0100	2803305	3	Unknown Traffic	192.168.11.20	49921	92.255.85.36	9000	TCP
2025-02-14T21:41:52.064942+0100	2803305	3	Unknown Traffic	192.168.11.20	49923	92.255.85.36	9000	TCP
2025-02-14T21:41:52.756458+0100	2803305	3	Unknown Traffic	192.168.11.20	49925	92.255.85.36	9000	TCP
2025-02-14T21:41:53.334416+0100	2803305	3	Unknown Traffic	192.168.11.20	49927	92.255.85.36	9000	TCP
2025-02-14T21:41:53.927508+0100	2803305	3	Unknown Traffic	192.168.11.20	49929	92.255.85.36	9000	TCP
2025-02-14T21:41:54.503549+0100	2803305	3	Unknown Traffic	192.168.11.20	49931	92.255.85.36	9000	TCP
2025-02-14T21:41:55.061164+0100	2803305	3	Unknown Traffic	192.168.11.20	49933	92.255.85.36	9000	TCP
2025-02-14T21:41:57.904047+0100	2803305	3	Unknown Traffic	192.168.11.20	49941	92.255.85.36	9000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\srva	Avira: detection malicious, Label: TR/Agent.dtyjl
Source: C:\Users\user\AppData\Local\Temp\beo	Avira: detection malicious, Label: TR/Agent.dtyjl

Multi AV Scanner detection for submitted file

Source: SplashWin.exe

Virustotal: Detection: 13%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C0E4F0 CryptUnprotectData,		8_2_06C0E4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C0EA68 CryptUnprotectData,		8_2_06C0EA68

Source: SplashWin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.20.4.235:443 -> 192.168.11.20:49943 version: TLS 1.2

Source: SplashWin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: SplashWin.exe, 00000000.00000002.124095762423.00000000045FD000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000000.00000002.124097957687.0000000004F10000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000002.00000002.124226357020.0000000004407000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124227017741.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.124263384068.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.124262565614.0000000004603000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SplashWin.exe, 00000000.00000002.124095762423.00000000045FD000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000000.00000002.124097957687.0000000004F10000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000002.00000002.124226357020.0000000004407000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124227017741.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.124263384068.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.124262565614.0000000004603000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 06BE88ACh	8_2_06BE829D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 06BE6286h	8_2_06BE6170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 06BE6286h	8_2_06BE6161
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 07B74E29h	8_2_07B74990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 07B79F2Ah	8_2_07B79240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr [ebp-60h]	8_2_07B79240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 07B7A59Dh	8_2_07B79240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 07B780D1h	8_2_07B780B9

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49795 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49779 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49777 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49781 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49778 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49824 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49773 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49771 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49797 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49802 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49790 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49774 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49793 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49792 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49821 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49813 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49818 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49801 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49783 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49830 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49829 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49772 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49811 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49805 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49794 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49786 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49823 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49796 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49841 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49784 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49831 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49780 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49809 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49840 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49837 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49873 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49782 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49775 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49787 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49835 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49808 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49820 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49803 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49800 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49843 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49872 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49816 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49881 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49842 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49839 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49799 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49785 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49776 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49812 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49807 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49815 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49855 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49832 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49854 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49819 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49875 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49806 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49856 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49804 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49844 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49788 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49848 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49834 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49822 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49853 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49867 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49883 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49850 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49817 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49880 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49838 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49789 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49852 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49863 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49791 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49851 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49862 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49826 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49859 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49870 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49814 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49845 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49869 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49833 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49860 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49825 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49876 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49874 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49846 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49847 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49866 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49868 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49849 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49879 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49858 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49877 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49861 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49878 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49884 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49864 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49865 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49882 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49810 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49885 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49827 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49828 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49836 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49857 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49886 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49871 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49890 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49891 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49896 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49894 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49907 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49903 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49912 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49919 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49901 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49917 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49923 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49898 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49925 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49929 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49904 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49927 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49941 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49910 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49933 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49915 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49936 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49921 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49939 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49931 -> 92.255.85.36:9000

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 92.255.85.36 ports 9000,1,4,5,7,8,15847

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49941

Source: global traffic

TCP traffic: 192.168.11.20:49770 -> 92.255.85.36:15847

Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000

Source: Joe Sandbox View

ASN Name: SOVTEL-ASRU SOVTEL-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49795 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49773 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49781 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49779 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49777 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49802 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49780 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49784 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49831 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49837 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49873 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49839 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49872 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49843 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49816 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49842 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49819 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49856 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49822 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49853 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49850 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49791 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49845 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49833 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49860 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49876 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49874 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49879 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49858 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49861 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49884 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49864 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49836 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49857 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49891 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49896 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49894 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49907 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49903 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49912 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49901 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49919 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49917 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49923 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49898 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49925 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49929 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49904 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49927 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49941 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49910 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49933 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49915 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49921 -> 92.255.85.36:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49931 -> 92.255.85.36:9000

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.36

Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.36:9000

Source: MSBuild.exe, 00000008.00000002.125343328421.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002DED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="},"policy":{"last_statistics_update":"13335737596278882"},"profile":{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20",
Source: MSBuild.exe, 00000008.00000002.125343328421.00000000030D4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002DED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)

Source: global traffic

DNS traffic detected: DNS query: pastebin.com

Source: MSBuild.exe, 00000008.00000002.125343328421.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.36:9000
Source: MSBuild.exe, 00000008.00000002.125343328421.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.36:9000/wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SplashWin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SplashWin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SplashWin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: SplashWin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: SplashWin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SplashWin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SplashWin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SplashWin.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SplashWin.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: SplashWin.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: SplashWin.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SplashWin.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SplashWin.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SplashWin.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SplashWin.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0=
Source: SplashWin.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SplashWin.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SplashWin.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: SplashWin.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SplashWin.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SplashWin.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: SplashWin.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SplashWin.exe	String found in binary or memory: http://ocsp.digicert.com0W
Source: SplashWin.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: MSBuild.exe, 00000008.00000002.125343328421.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: MSBuild.exe, 00000008.00000002.125343328421.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: SplashWin.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: SplashWin.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SplashWin.exe, 00000000.00000002.124096825952.000000000497A000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.0000000004761000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.0000000004966000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: MSBuild.exe, 00000008.00000002.125350934488.0000000003E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000008.00000002.125350934488.0000000003E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124226717931.00000000047AA000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: MSBuild.exe, 00000008.00000002.125350934488.0000000003E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 00000008.00000002.125362200605.000000000958A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009957000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000097CD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000988E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000003E58000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009735000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000095B3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000098B7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000964B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000970C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009674000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000004845000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000003BD3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.000000000301A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000097F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000003E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 00000008.00000002.125362200605.0000000009937000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002C2A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002F06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.000000000309D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000003015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab0
Source: MSBuild.exe, 00000008.00000002.125350934488.0000000003E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000008.00000002.125350934488.0000000003E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: MSBuild.exe, 00000009.00000002.124265192418.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/DWCCqGB0
Source: MSBuild.exe, 00000009.00000002.124265192418.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/DWCCqGB0PO
Source: MSBuild.exe, 00000008.00000002.125362200605.0000000009937000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000958A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009957000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000097CD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002C2A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000988E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000003E58000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009735000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000095B3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002F06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000098B7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000964B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.000000000309D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000970C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009674000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000004845000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000003BD3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000097F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: MSBuild.exe, 00000008.00000002.125362200605.0000000009937000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000958A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009957000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000097CD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002C2A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000988E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000003E58000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009735000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000095B3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002F06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000098B7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000964B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.000000000309D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000970C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009674000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000004845000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000003BD3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000097F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SplashWin.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: MSBuild.exe, 00000008.00000002.125362200605.000000000958A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000097CD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000988E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000003E58000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009735000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000095B3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000098B7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000964B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000970C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009674000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000097F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000003E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 00000008.00000002.125362200605.000000000958A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000097CD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000988E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000003E58000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009735000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000095B3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000098B7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000964B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.000000000970C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009674000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.00000000097F6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000003E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: MSBuild.exe, 00000008.00000002.125362200605.0000000009937000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009957000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125362200605.0000000009991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002C2A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002F06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.000000000309D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000004845000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125350934488.0000000003BD3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.000000000301A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002F0B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000003015000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.125343328421.0000000002C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Source: unknown

HTTPS traffic detected: 104.20.4.235:443 -> 192.168.11.20:49943 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.more.com.52500c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 6.2.more.com.53f00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 2.2.more.com.52500c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 6.2.more.com.53f00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 9.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\beo, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\srva, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process Stats: CPU usage > 6%

Source: C:\Users\user\Desktop\SplashWin.exe

Code function: 0_2_004C3004 NtQuerySystemInformation,

0_2_004C3004

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_02A39E78	8_2_02A39E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_02A3B7C8	8_2_02A3B7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_02A3B728	8_2_02A3B728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_02A354B8	8_2_02A354B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_02A34B34	8_2_02A34B34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_02A3188E	8_2_02A3188E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_02A30EA7	8_2_02A30EA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_02A3D6EB	8_2_02A3D6EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_02A39E67	8_2_02A39E67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_02A3D738	8_2_02A3D738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_02A37740	8_2_02A37740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_02A37750	8_2_02A37750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD5AB0	8_2_06BD5AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD82A0	8_2_06BD82A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDC670	8_2_06BDC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD3E58	8_2_06BD3E58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDE7B8	8_2_06BDE7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD5388	8_2_06BD5388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD63E8	8_2_06BD63E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDAFE8	8_2_06BDAFE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDD718	8_2_06BDD718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDA710	8_2_06BDA710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDA1E8	8_2_06BDA1E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD95C0	8_2_06BD95C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD5AA0	8_2_06BD5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD7AE8	8_2_06BD7AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD7AD7	8_2_06BD7AD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDC65B	8_2_06BDC65B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD3E48	8_2_06BD3E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDE7A7	8_2_06BDE7A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD2388	8_2_06BD2388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDAFD8	8_2_06BDAFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD63D7	8_2_06BD63D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDD711	8_2_06BDD711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDA70A	8_2_06BDA70A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD5378	8_2_06BD5378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDBC98	8_2_06BDBC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD1C90	8_2_06BD1C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDBC7A	8_2_06BDBC7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BD7D98	8_2_06BD7D98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDA1D8	8_2_06BDA1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BE0040	8_2_06BE0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BE6A48	8_2_06BE6A48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BE0006	8_2_06BE0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BE0E7F	8_2_06BE0E7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C026C9	8_2_06C026C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C0AA83	8_2_06C0AA83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C05668	8_2_06C05668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C02BE6	8_2_06C02BE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C09BB0	8_2_06C09BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C03B50	8_2_06C03B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C04887	8_2_06C04887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C00040	8_2_06C00040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C0F598	8_2_06C0F598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C03290	8_2_06C03290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C05EB0	8_2_06C05EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C07BCD	8_2_06C07BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C09B93	8_2_06C09B93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C06F2F	8_2_06C06F2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C00007	8_2_06C00007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C0ED72	8_2_06C0ED72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0741EA70	8_2_0741EA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07411A20	8_2_07411A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07418976	8_2_07418976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0741D460	8_2_0741D460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0741D470	8_2_0741D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07410C50	8_2_07410C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0741EA60	8_2_0741EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07417A90	8_2_07417A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B783A0	8_2_07B783A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B73FA8	8_2_07B73FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B77120	8_2_07B77120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B7B090	8_2_07B7B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B75AF0	8_2_07B75AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B7A62A	8_2_07B7A62A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B74E58	8_2_07B74E58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B70040	8_2_07B70040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B79240	8_2_07B79240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B7E3B8	8_2_07B7E3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B78390	8_2_07B78390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B73F98	8_2_07B73F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B7D3FD	8_2_07B7D3FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B7E3C8	8_2_07B7E3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B7E120	8_2_07B7E120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B736A0	8_2_07B736A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B7D690	8_2_07B7D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B75AE7	8_2_07B75AE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B79230	8_2_07B79230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B70006	8_2_07B70006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B7BA00	8_2_07B7BA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_02FE54B8	9_2_02FE54B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_02FE4B34	9_2_02FE4B34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_02FE188E	9_2_02FE188E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_02FE7750	9_2_02FE7750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_02FE7740	9_2_02FE7740

Source: SplashWin.exe

Static PE information: invalid certificate

Source: SplashWin.exe

Static PE information: Number of sections : 12 > 10

Source: SplashWin.exe, 00000000.00000002.124096825952.0000000004A2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs SplashWin.exe
Source: SplashWin.exe, 00000000.00000002.124095762423.0000000004720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SplashWin.exe
Source: SplashWin.exe, 00000000.00000002.124097957687.000000000503D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SplashWin.exe

Source: SplashWin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.more.com.52500c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 6.2.more.com.53f00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.more.com.52500c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 6.2.more.com.53f00c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 9.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\beo, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\srva, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 2.2.more.com.52500c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.more.com.53f00c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/12@1/1

Source: C:\Windows\SysWOW64\more.com

File created: C:\Users\user\AppData\Roaming\FindOnClick

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\5c8947d1385c4e608aa7a0853c65418d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1692:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1692:120:WilError_03

Source: C:\Users\user\Desktop\SplashWin.exe

File created: C:\Users\user\AppData\Local\Temp\e3afabff

Jump to behavior

Source: C:\Users\user\Desktop\SplashWin.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SplashWin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SplashWin.exe

Virustotal: Detection: 13%

Source: C:\Users\user\Desktop\SplashWin.exe

File read: C:\Users\user\Desktop\SplashWin.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SplashWin.exe "C:\Users\user\Desktop\SplashWin.exe"
Source: C:\Users\user\Desktop\SplashWin.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\SplashWin.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\SysWOW64\more.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32

Jump to behavior

Source: SplashWin.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SplashWin.exe

Static file information: File size 6362203 > 1048576

Source: SplashWin.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2b8800
Source: SplashWin.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x180800
Source: SplashWin.exe	Static PE information: Raw size of _RDATA is bigger than: 0x100000 < 0x18f35b

Source: SplashWin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: SplashWin.exe, 00000000.00000002.124095762423.00000000045FD000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000000.00000002.124097957687.0000000004F10000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000002.00000002.124226357020.0000000004407000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124227017741.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.124263384068.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.124262565614.0000000004603000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SplashWin.exe, 00000000.00000002.124095762423.00000000045FD000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000000.00000002.124097957687.0000000004F10000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000002.00000002.124226357020.0000000004407000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.124227017741.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.124263384068.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.124262565614.0000000004603000.00000004.00000020.00020000.00000000.sdmp

Source: srva.2.dr	Static PE information: real checksum: 0x0 should be: 0xc5de0
Source: SplashWin.exe	Static PE information: real checksum: 0x3cda61 should be: 0x619d80
Source: beo.6.dr	Static PE information: real checksum: 0x0 should be: 0xc5de0

Source: SplashWin.exe	Static PE information: section name: .didata
Source: SplashWin.exe	Static PE information: section name: _RDATA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDA6F6 pushfd ; retf	8_2_06BDA709
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BDAEDD pushad ; iretd	8_2_06BDAEE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BEB771 push es; ret	8_2_06BEB780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06BE4D2A pushfd ; ret	8_2_06BE4D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C0BFCA push esp; ret	8_2_06C0BFD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_06C093F3 push es; ret	8_2_06C093FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07412EF7 push ebp; iretd	8_2_07412EFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07415833 push es; ret	8_2_07415840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_07B7218B push cs; ret	8_2_07B72221

Source: srva.2.dr	Static PE information: section name: .text entropy: 6.939591378361454
Source: beo.6.dr	Static PE information: section name: .text entropy: 6.939591378361454

Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\beo			Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\srva			Jump to dropped file

Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\srva			Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\beo			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\SRVA
Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BEO

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49941

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\SplashWin.exe	API/Special instruction interceptor: Address: 6D3C7C44
Source: C:\Users\user\Desktop\SplashWin.exe	API/Special instruction interceptor: Address: 6D3C7945
Source: C:\Windows\SysWOW64\more.com	API/Special instruction interceptor: Address: 6D3C3B54
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	API/Special instruction interceptor: Address: 6D3C7C44
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	API/Special instruction interceptor: Address: 6D3C7945

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 51A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Window / User API: threadDelayed 9917

Jump to behavior

Source: C:\Windows\SysWOW64\more.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\beo			Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\srva			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 832	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 832	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 832	Thread sleep time: -59891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4100	Thread sleep time: -39661s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 832	Thread sleep time: -59781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4100	Thread sleep time: -36081s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4100	Thread sleep time: -47273s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4100	Thread sleep time: -58604s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4100	Thread sleep time: -56476s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4100	Thread sleep time: -38642s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4100	Thread sleep time: -55966s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4100	Thread sleep time: -44240s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4100	Thread sleep time: -42809s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39661	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36081	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47273	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58604	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56476	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38642	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44240	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42809	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: MSBuild.exe, 00000008.00000002.125339423328.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: more.com, 00000006.00000002.124262993255.00000000049AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0

Source: C:\Users\user\Desktop\SplashWin.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SplashWin.exe

Code function: 0_2_004C36D4 mov eax, dword ptr fs:[00000030h]

0_2_004C36D4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SplashWin.exe	NtSetInformationThread: Direct from: 0x4C4375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	NtQuerySystemInformation: Direct from: 0x775D7A4E	Jump to behavior
Source: C:\Users\user\Desktop\SplashWin.exe	NtQuerySystemInformation: Direct from: 0x3FBA9B	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\SplashWin.exe	Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6BAA1000	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7F8008	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6BAA1000	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F4A008	Jump to behavior

Source: C:\Users\user\Desktop\SplashWin.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\SplashWin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\e3afabff VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FindOnClick\IbConsole.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\e9db0d4c VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 2.2.more.com.52500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.more.com.53f00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.more.com.52500c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.more.com.53f00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.124263973700.00000000053F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.124262503392.0000000001102000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.124227499563.0000000005250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: more.com PID: 1824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: more.com PID: 6876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5212, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\beo, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\srva, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 2.2.more.com.52500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.more.com.53f00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.more.com.52500c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.more.com.53f00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.124263973700.00000000053F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.124262503392.0000000001102000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.125357093809.0000000006064000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.124227499563.0000000005250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: more.com PID: 1824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: more.com PID: 6876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5212, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\srva, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\beo, type: DROPPED

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 2.2.more.com.52500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.more.com.53f00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.more.com.52500c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.more.com.53f00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.1100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.124263973700.00000000053F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.124262503392.0000000001102000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.124227499563.0000000005250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: more.com PID: 1824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: more.com PID: 6876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5212, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\beo, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\srva, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 Scheduled Task/Job	211 Process Injection	11 Masquerading	1 OS Credential Dumping	321 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	11 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	22 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 DLL Side-Loading	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	213 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	3 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SplashWin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SplashWin.exe