Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WNBOZYUN.msi

Overview

General Information

Sample name:WNBOZYUN.msi
Analysis ID:1626773
MD5:fbad39a4e69da1cc3bf48541c7905d4c
SHA1:747b277cd5bb37e719877e45864f3beedc949f06
SHA256:923efb46578f7f31a9734ec1d7e7e1b9edf1560fec54d7319179aa51cf3dd26a
Infos:

Detection

RedLine, SectopRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
Yara detected SectopRAT
Connects to many ports of the same IP (likely port scanning)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • msiexec.exe (PID: 8008 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\WNBOZYUN.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 3668 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 1228 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding CF32977746E218EEEDE7CA2544B2F355 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • ISBEW64.exe (PID: 284 cmdline: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AA76FFC7-070F-48AA-A57E-E6EA04FB65AC} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 7604 cmdline: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{92500C82-953F-402F-B6F9-789DEC6E960E} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 5912 cmdline: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1E9B171B-8544-422E-9E42-CEF439811C75} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 1752 cmdline: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{715C38EC-9C71-4312-AEB8-36B923691B1B} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 824 cmdline: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{18A2E0DE-C8B0-4F09-8999-BC6F4666FB02} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 5528 cmdline: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A1B3A247-9AAE-4F1C-8301-F31840EC13D8} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 2788 cmdline: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{27C98D69-B6ED-4325-8361-1D393661067B} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 832 cmdline: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{740CDDF4-C0DD-4B2A-84ED-1DFE4BAB4319} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 1752 cmdline: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{24B6B0B2-3219-47E3-8888-4F1C15C69403} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 824 cmdline: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{56147674-C8B6-4BE4-9BB1-668D7373710C} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • RoboTaskLite.exe (PID: 8216 cmdline: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exe MD5: 6EE5F7F9F0016B5CC4F93A949A08F0DC)
        • RoboTaskLite.exe (PID: 8248 cmdline: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exe MD5: 6EE5F7F9F0016B5CC4F93A949A08F0DC)
          • cmd.exe (PID: 8284 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 8292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
            • MSBuild.exe (PID: 8688 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • RoboTaskLite.exe (PID: 9028 cmdline: "C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exe" MD5: 6EE5F7F9F0016B5CC4F93A949A08F0DC)
    • cmd.exe (PID: 9048 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 9060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • MSBuild.exe (PID: 9176 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\nxscuoxJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    C:\Users\user\AppData\Local\Temp\nxscuoxJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      C:\Users\user\AppData\Local\Temp\nxscuoxMALWARE_Win_Arechclient2Detects Arechclient2 RATditekSHen
      • 0xb50d6:$s14: keybd_event
      • 0xbc02e:$v1_1: grabber@
      • 0xb5c92:$v1_2: <BrowserProfile>k__
      • 0xb671f:$v1_3: <SystemHardwares>k__
      • 0xb67de:$v1_5: <ScannedWallets>k__
      • 0xb686e:$v1_6: <DicrFiles>k__
      • 0xb684a:$v1_7: <MessageClientFiles>k__
      • 0xb6c14:$v1_8: <ScanBrowsers>k__BackingField
      • 0xb6c66:$v1_8: <ScanWallets>k__BackingField
      • 0xb6c83:$v1_8: <ScanScreen>k__BackingField
      • 0xb6cbd:$v1_8: <ScanVPN>k__BackingField
      • 0xa85f6:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost
      • 0xa7f02:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
      C:\Users\user\AppData\Local\Temp\obyJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        C:\Users\user\AppData\Local\Temp\obyJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Click to see the 1 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000017.00000002.2316820013.0000000005100000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000017.00000002.2316820013.0000000005100000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000010.00000002.1995781637.0000000006210000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000010.00000002.1995781637.0000000006210000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  00000019.00000002.2314418981.0000000000F02000.00000002.00000001.01000000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 10 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    25.2.MSBuild.exe.f00000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      25.2.MSBuild.exe.f00000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        25.2.MSBuild.exe.f00000.0.unpackMALWARE_Win_Arechclient2Detects Arechclient2 RATditekSHen
                        • 0xb50d6:$s14: keybd_event
                        • 0xbc02e:$v1_1: grabber@
                        • 0xb5c92:$v1_2: <BrowserProfile>k__
                        • 0xb671f:$v1_3: <SystemHardwares>k__
                        • 0xb67de:$v1_5: <ScannedWallets>k__
                        • 0xb686e:$v1_6: <DicrFiles>k__
                        • 0xb684a:$v1_7: <MessageClientFiles>k__
                        • 0xb6c14:$v1_8: <ScanBrowsers>k__BackingField
                        • 0xb6c66:$v1_8: <ScanWallets>k__BackingField
                        • 0xb6c83:$v1_8: <ScanScreen>k__BackingField
                        • 0xb6cbd:$v1_8: <ScanVPN>k__BackingField
                        • 0xa85f6:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost
                        • 0xa7f02:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
                        16.2.cmd.exe.62100c8.6.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                          16.2.cmd.exe.62100c8.6.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                            Click to see the 10 entries

                            Sigma Signatures

                            No Sigma rule has matched

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-28T21:49:15.639349+010020522481A Network Trojan was detected192.168.11.204972192.255.85.239000TCP
                            2025-02-28T21:49:16.332150+010020522481A Network Trojan was detected192.168.11.204972392.255.85.239000TCP
                            2025-02-28T21:49:17.001457+010020522481A Network Trojan was detected192.168.11.204972492.255.85.239000TCP
                            2025-02-28T21:49:17.669279+010020522481A Network Trojan was detected192.168.11.204972592.255.85.239000TCP
                            2025-02-28T21:49:18.338009+010020522481A Network Trojan was detected192.168.11.204972692.255.85.239000TCP
                            2025-02-28T21:49:19.009232+010020522481A Network Trojan was detected192.168.11.204972792.255.85.239000TCP
                            2025-02-28T21:49:19.682736+010020522481A Network Trojan was detected192.168.11.204972892.255.85.239000TCP
                            2025-02-28T21:49:20.341325+010020522481A Network Trojan was detected192.168.11.204972992.255.85.239000TCP
                            2025-02-28T21:49:21.008206+010020522481A Network Trojan was detected192.168.11.204973092.255.85.239000TCP
                            2025-02-28T21:49:21.676092+010020522481A Network Trojan was detected192.168.11.204973192.255.85.239000TCP
                            2025-02-28T21:49:22.354750+010020522481A Network Trojan was detected192.168.11.204973292.255.85.239000TCP
                            2025-02-28T21:49:23.025397+010020522481A Network Trojan was detected192.168.11.204973392.255.85.239000TCP
                            2025-02-28T21:49:23.697663+010020522481A Network Trojan was detected192.168.11.204973492.255.85.239000TCP
                            2025-02-28T21:49:24.356086+010020522481A Network Trojan was detected192.168.11.204973592.255.85.239000TCP
                            2025-02-28T21:49:25.024715+010020522481A Network Trojan was detected192.168.11.204973692.255.85.239000TCP
                            2025-02-28T21:49:25.688136+010020522481A Network Trojan was detected192.168.11.204973792.255.85.239000TCP
                            2025-02-28T21:49:26.360321+010020522481A Network Trojan was detected192.168.11.204973892.255.85.239000TCP
                            2025-02-28T21:49:27.042496+010020522481A Network Trojan was detected192.168.11.204973992.255.85.239000TCP
                            2025-02-28T21:49:27.700237+010020522481A Network Trojan was detected192.168.11.204974092.255.85.239000TCP
                            2025-02-28T21:49:28.371689+010020522481A Network Trojan was detected192.168.11.204974192.255.85.239000TCP
                            2025-02-28T21:49:29.045551+010020522481A Network Trojan was detected192.168.11.204974292.255.85.239000TCP
                            2025-02-28T21:49:29.726819+010020522481A Network Trojan was detected192.168.11.204974392.255.85.239000TCP
                            2025-02-28T21:49:30.392725+010020522481A Network Trojan was detected192.168.11.204974492.255.85.239000TCP
                            2025-02-28T21:49:31.091530+010020522481A Network Trojan was detected192.168.11.204974592.255.85.239000TCP
                            2025-02-28T21:49:31.774416+010020522481A Network Trojan was detected192.168.11.204974692.255.85.239000TCP
                            2025-02-28T21:49:32.444646+010020522481A Network Trojan was detected192.168.11.204974792.255.85.239000TCP
                            2025-02-28T21:49:33.107175+010020522481A Network Trojan was detected192.168.11.204974892.255.85.239000TCP
                            2025-02-28T21:49:33.779553+010020522481A Network Trojan was detected192.168.11.204974992.255.85.239000TCP
                            2025-02-28T21:49:34.458836+010020522481A Network Trojan was detected192.168.11.204975092.255.85.239000TCP
                            2025-02-28T21:49:35.119069+010020522481A Network Trojan was detected192.168.11.204975192.255.85.239000TCP
                            2025-02-28T21:49:35.780920+010020522481A Network Trojan was detected192.168.11.204975292.255.85.239000TCP
                            2025-02-28T21:49:36.459307+010020522481A Network Trojan was detected192.168.11.204975392.255.85.239000TCP
                            2025-02-28T21:49:37.134636+010020522481A Network Trojan was detected192.168.11.204975492.255.85.239000TCP
                            2025-02-28T21:49:37.816587+010020522481A Network Trojan was detected192.168.11.204975592.255.85.239000TCP
                            2025-02-28T21:49:38.482749+010020522481A Network Trojan was detected192.168.11.204975692.255.85.239000TCP
                            2025-02-28T21:49:39.154421+010020522481A Network Trojan was detected192.168.11.204975792.255.85.239000TCP
                            2025-02-28T21:49:39.827188+010020522481A Network Trojan was detected192.168.11.204975892.255.85.239000TCP
                            2025-02-28T21:49:40.507387+010020522481A Network Trojan was detected192.168.11.204975992.255.85.239000TCP
                            2025-02-28T21:49:41.183527+010020522481A Network Trojan was detected192.168.11.204976092.255.85.239000TCP
                            2025-02-28T21:49:41.863507+010020522481A Network Trojan was detected192.168.11.204976192.255.85.239000TCP
                            2025-02-28T21:49:42.536772+010020522481A Network Trojan was detected192.168.11.204976292.255.85.239000TCP
                            2025-02-28T21:49:43.207901+010020522481A Network Trojan was detected192.168.11.204976392.255.85.239000TCP
                            2025-02-28T21:49:43.902691+010020522481A Network Trojan was detected192.168.11.204976492.255.85.239000TCP
                            2025-02-28T21:49:44.570838+010020522481A Network Trojan was detected192.168.11.204976592.255.85.239000TCP
                            2025-02-28T21:49:45.242743+010020522481A Network Trojan was detected192.168.11.204976692.255.85.239000TCP
                            2025-02-28T21:49:45.914241+010020522481A Network Trojan was detected192.168.11.204976792.255.85.239000TCP
                            2025-02-28T21:49:46.605846+010020522481A Network Trojan was detected192.168.11.204976892.255.85.239000TCP
                            2025-02-28T21:49:47.274157+010020522481A Network Trojan was detected192.168.11.204976992.255.85.239000TCP
                            2025-02-28T21:49:47.960716+010020522481A Network Trojan was detected192.168.11.204977092.255.85.239000TCP
                            2025-02-28T21:49:48.680352+010020522481A Network Trojan was detected192.168.11.204977192.255.85.239000TCP
                            2025-02-28T21:49:49.367194+010020522481A Network Trojan was detected192.168.11.204977292.255.85.239000TCP
                            2025-02-28T21:49:50.052855+010020522481A Network Trojan was detected192.168.11.204977392.255.85.239000TCP
                            2025-02-28T21:49:50.708820+010020522481A Network Trojan was detected192.168.11.204977492.255.85.239000TCP
                            2025-02-28T21:49:51.373614+010020522481A Network Trojan was detected192.168.11.204977592.255.85.239000TCP
                            2025-02-28T21:49:52.038264+010020522481A Network Trojan was detected192.168.11.204977692.255.85.239000TCP
                            2025-02-28T21:49:52.722678+010020522481A Network Trojan was detected192.168.11.204977792.255.85.239000TCP
                            2025-02-28T21:49:53.382829+010020522481A Network Trojan was detected192.168.11.204977892.255.85.239000TCP
                            2025-02-28T21:49:54.067477+010020522481A Network Trojan was detected192.168.11.204977992.255.85.239000TCP
                            2025-02-28T21:49:54.729970+010020522481A Network Trojan was detected192.168.11.204978092.255.85.239000TCP
                            2025-02-28T21:49:55.424910+010020522481A Network Trojan was detected192.168.11.204978192.255.85.239000TCP
                            2025-02-28T21:49:56.355608+010020522481A Network Trojan was detected192.168.11.204978292.255.85.239000TCP
                            2025-02-28T21:49:57.138462+010020522481A Network Trojan was detected192.168.11.204978392.255.85.239000TCP
                            2025-02-28T21:49:57.808303+010020522481A Network Trojan was detected192.168.11.204978492.255.85.239000TCP
                            2025-02-28T21:49:58.725564+010020522481A Network Trojan was detected192.168.11.204978592.255.85.239000TCP
                            2025-02-28T21:49:59.400724+010020522481A Network Trojan was detected192.168.11.204978692.255.85.239000TCP
                            2025-02-28T21:50:00.317077+010020522481A Network Trojan was detected192.168.11.204978792.255.85.239000TCP
                            2025-02-28T21:50:01.009304+010020522481A Network Trojan was detected192.168.11.204978892.255.85.239000TCP
                            2025-02-28T21:50:01.678384+010020522481A Network Trojan was detected192.168.11.204978992.255.85.239000TCP
                            2025-02-28T21:50:02.492395+010020522481A Network Trojan was detected192.168.11.204979092.255.85.239000TCP
                            2025-02-28T21:50:03.322718+010020522481A Network Trojan was detected192.168.11.204979192.255.85.239000TCP
                            2025-02-28T21:50:04.079042+010020522481A Network Trojan was detected192.168.11.204979292.255.85.239000TCP
                            2025-02-28T21:50:04.997835+010020522481A Network Trojan was detected192.168.11.204979392.255.85.239000TCP
                            2025-02-28T21:50:05.665489+010020522481A Network Trojan was detected192.168.11.204979492.255.85.239000TCP
                            2025-02-28T21:50:06.365705+010020522481A Network Trojan was detected192.168.11.204979592.255.85.239000TCP
                            2025-02-28T21:50:07.282606+010020522481A Network Trojan was detected192.168.11.204979692.255.85.239000TCP
                            2025-02-28T21:50:07.943582+010020522481A Network Trojan was detected192.168.11.204979792.255.85.239000TCP
                            2025-02-28T21:50:09.642044+010020522481A Network Trojan was detected192.168.11.204979892.255.85.239000TCP
                            2025-02-28T21:50:10.343524+010020522481A Network Trojan was detected192.168.11.204979992.255.85.239000TCP
                            2025-02-28T21:50:11.106605+010020522481A Network Trojan was detected192.168.11.204980092.255.85.239000TCP
                            2025-02-28T21:50:13.036881+010020522481A Network Trojan was detected192.168.11.204980192.255.85.239000TCP
                            2025-02-28T21:50:14.753432+010020522481A Network Trojan was detected192.168.11.204980292.255.85.239000TCP
                            2025-02-28T21:50:15.662289+010020522481A Network Trojan was detected192.168.11.204980392.255.85.239000TCP
                            2025-02-28T21:50:16.373764+010020522481A Network Trojan was detected192.168.11.204980492.255.85.239000TCP
                            2025-02-28T21:50:17.172794+010020522481A Network Trojan was detected192.168.11.204980592.255.85.239000TCP
                            2025-02-28T21:50:17.844478+010020522481A Network Trojan was detected192.168.11.204980692.255.85.239000TCP
                            2025-02-28T21:50:18.760545+010020522481A Network Trojan was detected192.168.11.204980792.255.85.239000TCP
                            2025-02-28T21:50:19.661929+010020522481A Network Trojan was detected192.168.11.204980892.255.85.239000TCP
                            2025-02-28T21:50:20.564060+010020522481A Network Trojan was detected192.168.11.204981092.255.85.239000TCP
                            2025-02-28T21:50:21.580581+010020522481A Network Trojan was detected192.168.11.204981292.255.85.239000TCP
                            2025-02-28T21:50:22.522758+010020522481A Network Trojan was detected192.168.11.204981392.255.85.239000TCP
                            2025-02-28T21:50:23.428336+010020522481A Network Trojan was detected192.168.11.204981492.255.85.239000TCP
                            2025-02-28T21:50:24.252184+010020522481A Network Trojan was detected192.168.11.204981592.255.85.239000TCP
                            2025-02-28T21:50:25.163162+010020522481A Network Trojan was detected192.168.11.204981692.255.85.239000TCP
                            2025-02-28T21:50:25.954313+010020522481A Network Trojan was detected192.168.11.204981792.255.85.239000TCP
                            2025-02-28T21:50:26.637128+010020522481A Network Trojan was detected192.168.11.204981892.255.85.239000TCP
                            2025-02-28T21:50:27.307581+010020522481A Network Trojan was detected192.168.11.204981992.255.85.239000TCP
                            2025-02-28T21:50:28.077227+010020522481A Network Trojan was detected192.168.11.204982092.255.85.239000TCP
                            2025-02-28T21:50:28.755337+010020522481A Network Trojan was detected192.168.11.204982292.255.85.239000TCP
                            2025-02-28T21:50:29.432979+010020522481A Network Trojan was detected192.168.11.204982492.255.85.239000TCP
                            2025-02-28T21:50:30.356199+010020522481A Network Trojan was detected192.168.11.204982592.255.85.239000TCP
                            2025-02-28T21:50:31.012721+010020522481A Network Trojan was detected192.168.11.204982692.255.85.239000TCP
                            2025-02-28T21:50:31.740695+010020522481A Network Trojan was detected192.168.11.204982792.255.85.239000TCP
                            2025-02-28T21:50:32.417387+010020522481A Network Trojan was detected192.168.11.204982892.255.85.239000TCP
                            2025-02-28T21:50:33.086988+010020522481A Network Trojan was detected192.168.11.204983092.255.85.239000TCP
                            2025-02-28T21:50:33.747692+010020522481A Network Trojan was detected192.168.11.204983192.255.85.239000TCP
                            2025-02-28T21:50:34.428126+010020522481A Network Trojan was detected192.168.11.204983492.255.85.239000TCP
                            2025-02-28T21:50:35.776972+010020522481A Network Trojan was detected192.168.11.204983692.255.85.239000TCP
                            2025-02-28T21:50:36.494250+010020522481A Network Trojan was detected192.168.11.204983892.255.85.239000TCP
                            2025-02-28T21:50:39.198102+010020522481A Network Trojan was detected192.168.11.204984292.255.85.239000TCP
                            2025-02-28T21:50:39.858441+010020522481A Network Trojan was detected192.168.11.204984392.255.85.239000TCP
                            2025-02-28T21:50:40.540355+010020522481A Network Trojan was detected192.168.11.204984492.255.85.239000TCP
                            2025-02-28T21:50:41.429136+010020522481A Network Trojan was detected192.168.11.204984792.255.85.239000TCP
                            2025-02-28T21:50:42.527982+010020522481A Network Trojan was detected192.168.11.204985092.255.85.239000TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-02-28T21:49:16.332150+010028033053Unknown Traffic192.168.11.204972392.255.85.239000TCP
                            2025-02-28T21:49:18.338009+010028033053Unknown Traffic192.168.11.204972692.255.85.239000TCP
                            2025-02-28T21:49:19.682736+010028033053Unknown Traffic192.168.11.204972892.255.85.239000TCP
                            2025-02-28T21:49:21.676092+010028033053Unknown Traffic192.168.11.204973192.255.85.239000TCP
                            2025-02-28T21:49:22.354750+010028033053Unknown Traffic192.168.11.204973292.255.85.239000TCP
                            2025-02-28T21:49:23.025397+010028033053Unknown Traffic192.168.11.204973392.255.85.239000TCP
                            2025-02-28T21:49:25.024715+010028033053Unknown Traffic192.168.11.204973692.255.85.239000TCP
                            2025-02-28T21:49:26.360321+010028033053Unknown Traffic192.168.11.204973892.255.85.239000TCP
                            2025-02-28T21:49:28.371689+010028033053Unknown Traffic192.168.11.204974192.255.85.239000TCP
                            2025-02-28T21:49:29.726819+010028033053Unknown Traffic192.168.11.204974392.255.85.239000TCP
                            2025-02-28T21:49:31.091530+010028033053Unknown Traffic192.168.11.204974592.255.85.239000TCP
                            2025-02-28T21:49:32.444646+010028033053Unknown Traffic192.168.11.204974792.255.85.239000TCP
                            2025-02-28T21:49:33.779553+010028033053Unknown Traffic192.168.11.204974992.255.85.239000TCP
                            2025-02-28T21:49:35.780920+010028033053Unknown Traffic192.168.11.204975292.255.85.239000TCP
                            2025-02-28T21:49:37.816587+010028033053Unknown Traffic192.168.11.204975592.255.85.239000TCP
                            2025-02-28T21:49:38.482749+010028033053Unknown Traffic192.168.11.204975692.255.85.239000TCP
                            2025-02-28T21:49:39.154421+010028033053Unknown Traffic192.168.11.204975792.255.85.239000TCP
                            2025-02-28T21:49:39.827188+010028033053Unknown Traffic192.168.11.204975892.255.85.239000TCP
                            2025-02-28T21:49:40.507387+010028033053Unknown Traffic192.168.11.204975992.255.85.239000TCP
                            2025-02-28T21:49:41.183527+010028033053Unknown Traffic192.168.11.204976092.255.85.239000TCP
                            2025-02-28T21:49:43.207901+010028033053Unknown Traffic192.168.11.204976392.255.85.239000TCP
                            2025-02-28T21:49:44.570838+010028033053Unknown Traffic192.168.11.204976592.255.85.239000TCP
                            2025-02-28T21:49:48.680352+010028033053Unknown Traffic192.168.11.204977192.255.85.239000TCP
                            2025-02-28T21:49:50.052855+010028033053Unknown Traffic192.168.11.204977392.255.85.239000TCP
                            2025-02-28T21:49:50.708820+010028033053Unknown Traffic192.168.11.204977492.255.85.239000TCP
                            2025-02-28T21:49:56.355608+010028033053Unknown Traffic192.168.11.204978292.255.85.239000TCP
                            2025-02-28T21:49:59.400724+010028033053Unknown Traffic192.168.11.204978692.255.85.239000TCP
                            2025-02-28T21:50:01.009304+010028033053Unknown Traffic192.168.11.204978892.255.85.239000TCP
                            2025-02-28T21:50:05.665489+010028033053Unknown Traffic192.168.11.204979492.255.85.239000TCP
                            2025-02-28T21:50:06.365705+010028033053Unknown Traffic192.168.11.204979592.255.85.239000TCP
                            2025-02-28T21:50:16.373764+010028033053Unknown Traffic192.168.11.204980492.255.85.239000TCP
                            2025-02-28T21:50:17.172794+010028033053Unknown Traffic192.168.11.204980592.255.85.239000TCP
                            2025-02-28T21:50:18.760545+010028033053Unknown Traffic192.168.11.204980792.255.85.239000TCP
                            2025-02-28T21:50:21.580581+010028033053Unknown Traffic192.168.11.204981292.255.85.239000TCP
                            2025-02-28T21:50:22.522758+010028033053Unknown Traffic192.168.11.204981392.255.85.239000TCP
                            2025-02-28T21:50:23.428336+010028033053Unknown Traffic192.168.11.204981492.255.85.239000TCP
                            2025-02-28T21:50:24.252184+010028033053Unknown Traffic192.168.11.204981592.255.85.239000TCP
                            2025-02-28T21:50:25.163162+010028033053Unknown Traffic192.168.11.204981692.255.85.239000TCP
                            2025-02-28T21:50:25.954313+010028033053Unknown Traffic192.168.11.204981792.255.85.239000TCP
                            2025-02-28T21:50:28.077227+010028033053Unknown Traffic192.168.11.204982092.255.85.239000TCP
                            2025-02-28T21:50:31.012721+010028033053Unknown Traffic192.168.11.204982692.255.85.239000TCP
                            2025-02-28T21:50:32.417387+010028033053Unknown Traffic192.168.11.204982892.255.85.239000TCP
                            2025-02-28T21:50:33.086988+010028033053Unknown Traffic192.168.11.204983092.255.85.239000TCP
                            2025-02-28T21:50:39.858441+010028033053Unknown Traffic192.168.11.204984392.255.85.239000TCP
                            2025-02-28T21:50:40.540355+010028033053Unknown Traffic192.168.11.204984492.255.85.239000TCP
                            2025-02-28T21:50:41.429136+010028033053Unknown Traffic192.168.11.204984792.255.85.239000TCP
                            2025-02-28T21:50:42.527982+010028033053Unknown Traffic192.168.11.204985092.255.85.239000TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\obyAvira: detection malicious, Label: HEUR/AGEN.1307453
                            Source: C:\Users\user\AppData\Local\Temp\nxscuoxAvira: detection malicious, Label: HEUR/AGEN.1307453
                            Multi AV Scanner detection for submitted file
                            Source: WNBOZYUN.msiVirustotal: Detection: 8%Perma Link
                            Joe Sandbox ML detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0715BE18 CryptUnprotectData,21_2_0715BE18
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0715C3D8 CryptUnprotectData,21_2_0715C3D8
                            Source: Binary string: System.Windows.Forms.pdb source: MSBuild.exe, 00000019.00000002.2321176638.000000007125B000.00000020.00000001.01000000.00000012.sdmp
                            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: MSBuild.exe, 00000019.00000002.2321176638.000000007125B000.00000020.00000001.01000000.00000012.sdmp
                            Source: Binary string: System.Windows.Forms.ni.pdb source: MSBuild.exe, 00000019.00000002.2321176638.000000007125B000.00000020.00000001.01000000.00000012.sdmp
                            Source: Binary string: System.Drawing.pdb source: MSBuild.exe, 00000019.00000002.2335553294.000000007143B000.00000020.00000001.01000000.00000011.sdmp
                            Source: Binary string: wntdll.pdbUGP source: RoboTaskLite.exe, 0000000E.00000002.1699269189.00000000097F6000.00000004.00000020.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000002.1699979016.0000000009B50000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1993896260.000000000538E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994753374.0000000005860000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2316206132.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315110494.000000000475D000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Drawing.ni.pdb source: MSBuild.exe, 00000019.00000002.2335553294.000000007143B000.00000020.00000001.01000000.00000011.sdmp
                            Source: Binary string: wntdll.pdb source: RoboTaskLite.exe, 0000000E.00000002.1699269189.00000000097F6000.00000004.00000020.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000002.1699979016.0000000009B50000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1993896260.000000000538E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994753374.0000000005860000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2316206132.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315110494.000000000475D000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Drawing.ni.pdbRSDS source: MSBuild.exe, 00000019.00000002.2335553294.000000007143B000.00000020.00000001.01000000.00000011.sdmp
                            Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000004.00000002.1675618110.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000004.00000000.1672941239.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000002.1676258702.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000000.1673719563.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000002.1676806540.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000000.1674488757.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000002.1677304517.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000000.1675280936.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000000.1676072102.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000002.1678032706.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000002.1697859923.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000000.1677296572.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000002.1680040069.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000000.1677919117.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000002.1681197813.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000000.1678535284.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000000.1679171611.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000002.1682063704.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000D.00000002.1682934777.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000D.00000000.1679901810.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp
                            Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: d:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:Jump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0338F4B9h21_2_0338F0F8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0338F4B9h21_2_0338F0F8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 077306F4h21_2_077300E5
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 07739719h21_2_07739701

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49723 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49726 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49735 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49721 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49727 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49732 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49739 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49748 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49743 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49742 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49731 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49749 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49772 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49777 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49725 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49733 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49757 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49738 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49724 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49787 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49752 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49763 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49774 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49734 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49782 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49729 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49786 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49741 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49769 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49793 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49771 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49740 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49728 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49778 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49799 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49758 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49756 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49766 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49736 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49753 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49755 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49784 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49803 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49802 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49747 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49781 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49790 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49767 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49773 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49789 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49759 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49754 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49737 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49785 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49768 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49730 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49780 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49779 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49796 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49800 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49764 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49792 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49746 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49795 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49801 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49765 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49760 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49797 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49775 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49761 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49788 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49798 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49744 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49804 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49745 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49805 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49806 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49807 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49808 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49810 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49812 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49750 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49814 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49813 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49815 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49783 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49816 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49817 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49751 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49819 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49820 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49818 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49826 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49824 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49827 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49822 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49828 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49830 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49762 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49831 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49770 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49838 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49776 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49842 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49791 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49825 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49836 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49794 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49843 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49844 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49847 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49850 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.11.20:49834 -> 92.255.85.23:9000
                            Connects to many ports of the same IP (likely port scanning)
                            Source: global trafficTCP traffic: 92.255.85.23 ports 9000,1,4,5,7,8,15847
                            Uses known network protocols on non-standard ports
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49721
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49723
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49724
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49725
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49726
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49727
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49728
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49729
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49730
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49731
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49732
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49733
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49734
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49735
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49736
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49737
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49738
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49739
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49740
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49741
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49742
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49743
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49744
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49745
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49746
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49747
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49748
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49749
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49750
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49751
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49752
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49753
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49754
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49755
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49756
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49757
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49758
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49759
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49760
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49761
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49762
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49763
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49764
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49765
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49766
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49767
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49768
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49769
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49770
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49771
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49772
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49773
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49774
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49775
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49776
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49777
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49778
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49779
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49780
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49781
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49782
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49783
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49784
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49785
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49786
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49787
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49788
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49789
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49790
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49791
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49792
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49793
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49794
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49795
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49796
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49797
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49798
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49799
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49800
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49801
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49802
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49803
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49804
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49805
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49806
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49807
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49808
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49810
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49812
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49813
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49814
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49814
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49815
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49816
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49817
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49818
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49819
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49820
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49822
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49824
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49825
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49826
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49827
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49828
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49830
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49831
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49834
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49836
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49838
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49842
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49843
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49844
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49847
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49850
                            Source: global trafficTCP traffic: 192.168.11.20:49720 -> 92.255.85.23:15847
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: Joe Sandbox ViewASN Name: SOVTEL-ASRU SOVTEL-ASRU
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49726 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49723 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49732 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49743 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49749 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49731 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49733 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49757 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49738 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49752 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49763 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49774 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49782 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49786 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49741 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49771 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49756 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49755 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49728 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49736 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49758 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49747 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49773 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49759 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49795 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49765 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49760 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49788 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49745 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49804 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49805 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49807 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49812 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49814 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49813 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49815 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49816 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49817 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49820 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49826 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49828 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49830 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49794 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49843 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49844 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49847 -> 92.255.85.23:9000
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.11.20:49850 -> 92.255.85.23:9000
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.84
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.84
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.217.165.195
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.192.36.194
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.217.165.195
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.192.36.194
                            Source: unknownTCP traffic detected without corresponding DNS query: 23.50.115.141
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: unknownTCP traffic detected without corresponding DNS query: 92.255.85.23
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: global trafficHTTP traffic detected: GET /wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC HTTP/1.1Host: 92.255.85.23:9000
                            Source: MSBuild.exe, 00000015.00000002.2906232717.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003B3D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.00000000039B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="},"policy":{"last_statistics_update":"13335737596278882"},"profile":{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20",
                            Source: MSBuild.exe, 00000015.00000002.2906232717.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003B3D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.00000000039B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
                            Source: MSBuild.exe, 00000015.00000002.2906232717.00000000034E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.85.23:9000
                            Source: MSBuild.exe, 00000015.00000002.2906232717.00000000034E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://92.255.85.23:9000/wbinjget?q=DCD19E1DA2479B3D22ABB9ECA2F479AC
                            Source: MSBuild.exe, 00000019.00000002.2321176638.0000000070B41000.00000020.00000001.01000000.00000012.sdmpString found in binary or memory: http://beta.visualstudio.net/net/sdk/feedback.asp
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                            Source: RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                            Source: RoboTaskLite.exe, 0000000E.00000003.1686026369.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                            Source: RoboTaskLite.exe, 0000000E.00000003.1686026369.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                            Source: RoboTaskLite.exe, 0000000E.00000003.1686026369.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                            Source: RoboTaskLite.exe, 0000000E.00000003.1686026369.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                            Source: RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                            Source: RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                            Source: RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                            Source: RoboTaskLite.exe, 0000000E.00000003.1686026369.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                            Source: RoboTaskLite.exe, 0000000E.00000003.1686026369.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                            Source: RoboTaskLite.exe, 0000000E.00000003.1686026369.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                            Source: RoboTaskLite.exe, 0000000E.00000003.1686026369.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://ocsp.comodoca.com0
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://ocsp.digicert.com0C
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                            Source: RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://ocsp.digicert.com0O
                            Source: RoboTaskLite.exe, 0000000E.00000003.1686026369.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://ocsp.sectigo.com0
                            Source: RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
                            Source: RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://s2.symcb.com0
                            Source: MSBuild.exe, 00000015.00000002.2906232717.00000000034E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                            Source: MSBuild.exe, 00000015.00000002.2906232717.00000000034E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://sv.symcb.com/sv.crl0a
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://sv.symcb.com/sv.crt0
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://sv.symcd.com0&
                            Source: RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                            Source: RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                            Source: RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                            Source: RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://www.digicert.com/CPS0
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                            Source: WNBOZYUN.msiString found in binary or memory: http://www.flexerasoftware.com0
                            Source: RoboTaskLite.exe, 0000000E.00000000.1681762171.00000000005C0000.00000002.00000001.01000000.00000004.sdmp, RoboTaskLite.exe, 0000000E.00000003.1686026369.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://www.geocities.com/SiliconValley/Network/2114/zipbeta.html
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.0000000009669000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.00000000056E2000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                            Source: RoboTaskLite.exe, 0000000E.00000000.1681762171.00000000005C0000.00000002.00000001.01000000.00000004.sdmp, RoboTaskLite.exe, 0000000E.00000003.1686026369.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://www.robotask.com/
                            Source: RoboTaskLite.exe, 0000000E.00000000.1681198210.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://www.robotask.com/?ref=rtliteopenX5OP8O
                            Source: RoboTaskLite.exe, 0000000E.00000000.1681198210.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://www.robotask.com/bugreport/
                            Source: RoboTaskLite.exe, 0000000E.00000000.1681198210.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://www.robotask.com/support/?ref=rtliteopen
                            Source: RoboTaskLite.exe, 0000000E.00000000.1681198210.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://www.robotask.com/upgradefromlite/open
                            Source: RoboTaskLite.exe, 0000000E.00000000.1681198210.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: http://www.robotask.com/upgradefromlite/openU
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://www.symauth.com/cps0(
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: http://www.symauth.com/rpa00
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                            Source: RoboTaskLite.exe, 0000000E.00000002.1700754233.0000000050051000.00000020.00000001.01000000.00000006.sdmp, rtl280.bpl.14.drString found in binary or memory: https://%s:%u/d.phpP
                            Source: MSBuild.exe, 00000015.00000002.2916592545.0000000004BEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: MSBuild.exe, 00000015.00000002.2916592545.0000000004BEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: https://d.symcb.com/cps0%
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: https://d.symcb.com/rpa0
                            Source: RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
                            Source: MSBuild.exe, 00000015.00000002.2916592545.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.00000000046BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: MSBuild.exe, 00000015.00000002.2906232717.00000000039B4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004CA9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.000000000392C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004A6A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004BBF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004AFE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D49000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D67000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003A3C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004603000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004A3D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003B23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.000000000490A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003671000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004B2B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004BEA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004A28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: MSBuild.exe, 00000015.00000002.2906232717.0000000003927000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D29000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.000000000375D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.000000000467E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.000000000366C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003A37000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003ABE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.00000000046BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab0
                            Source: MSBuild.exe, 00000015.00000002.2916592545.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.00000000046BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: MSBuild.exe, 00000015.00000002.2916592545.0000000004BEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                            Source: MSBuild.exe, 00000019.00000002.2318125914.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/UPxYyFp8
                            Source: MSBuild.exe, 00000019.00000002.2318125914.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/UPxYyFp8PO
                            Source: RoboTaskLite.exe, 0000000E.00000000.1681198210.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: https://robotask.com/help/
                            Source: RoboTaskLite.exe, 0000000E.00000000.1681198210.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: https://robotask.com/openhelp/?id=%d.openSV
                            Source: RoboTaskLite.exe, 0000000E.00000003.1686026369.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, WNBOZYUN.msi, RoboTaskLite.exe.14.drString found in binary or memory: https://sectigo.com/CPS0
                            Source: MSBuild.exe, 00000015.00000002.2906232717.0000000003927000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004CA9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D29000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004A6A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004BBF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.000000000375D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004AFE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D49000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D67000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.000000000467E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004603000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004A3D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003B23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.000000000490A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.000000000366C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004B2B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
                            Source: MSBuild.exe, 00000015.00000002.2906232717.0000000003927000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004CA9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D29000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004A6A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004BBF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.000000000375D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004AFE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D49000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D67000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.000000000467E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004603000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004A3D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003B23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.000000000490A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.000000000366C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004B2B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: RoboTaskLite.exe, 0000000E.00000002.1698257667.00000000096BF000.00000004.00000020.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1687402201.0000000009F0E000.00000004.00000001.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000003.1691824777.0000000009F0A000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994374695.000000000572A000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmp, WNBOZYUN.msiString found in binary or memory: https://www.digicert.com/CPS0
                            Source: MSBuild.exe, 00000015.00000002.2916592545.0000000004CA9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004A6A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004BBF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004AFE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004A3D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003B23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004B2B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004BEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: MSBuild.exe, 00000015.00000002.2916592545.0000000004CA9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004A6A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004BBF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004AFE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004A3D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003B23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004B2B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004BEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                            Source: MSBuild.exe, 00000015.00000002.2906232717.0000000003927000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.00000000039B4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.000000000392C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D29000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.000000000375D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D49000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004D67000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.000000000467E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003A3C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004603000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.000000000490A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003671000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.00000000039AF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.000000000366C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.00000000036FF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003A37000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2906232717.0000000003ABE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000015.00000002.2916592545.00000000046BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8570 @Vcl@Consts@_SCannotOpenClipboard,@Vcl@Consts@_SMCIWaveAudio,@Vcl@Consts@_SMCIUnknownError,@Vcl@Consts@_SBoldItalicFont,@Vcl@Consts@_SBoldFont,@Vcl@Consts@_SItalicFont,@Vcl@Consts@_SExecute,@Vcl@Consts@_SStart,@Vcl@Consts@_SStop,@Vcl@Consts@_SPause,@Vcl@Consts@_SContinue,@Vcl@Consts@_SServiceInstallOK,@Vcl@Consts@_SServiceInstallFailed,@Vcl@Consts@_SServiceUninstallOK,@Vcl@Consts@_SServiceUninstallFailed,@Vcl@Consts@_SDockedCtlNeedsName,@Vcl@Consts@_SDockZoneVersionConflict,@Vcl@Consts@_SAllCommands,@Vcl@Consts@_SDuplicateItem,@Vcl@Consts@_STextNotFound,@Vcl@Consts@_SBrowserExecError,@Vcl@Consts@_SPromptArrayEmpty,@Vcl@Consts@_SUsername,@Vcl@Consts@_SPassword,@Vcl@Consts@_SDomain,@Vcl@Consts@_SLogin,@Vcl@Consts@_SKeyNotFound,@Vcl@Consts@_SNoColumnMoving,@Vcl@Consts@_SNoEqualsInKey,@Vcl@Consts@_SSendError,@Vcl@Consts@_SAssignSubItemError,@Vcl@Consts@_SMoreButtons,@Vcl@Consts@_SErrorDownloadingURL,@Vcl@Consts@_SUrlMonDllMissing,@Vcl@Consts@_SAllActions,@Vcl@Consts@_SNoCategory,@Vcl@Consts@_SErrorLoadingFile,@Vcl@Consts@_SResetUsageData,@Vcl@Consts@_SFileRunDialogTitle,@Vcl@Consts@_SNoName,@Vcl@Consts@_SErrorActionManagerNotAssigned,14_2_50CB8570
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CC7D80 @Vcl@Graphics@TMetafile@LoadFromClipboardFormat$qqrusuip10HPALETTE__,GetClipboardData,@Vcl@Consts@_SUnknownClipboardFormat,@Vcl@Graphics@TMetafile@NewImage$qqrv,CopyEnhMetaFileW,GetEnhMetaFileHeader,14_2_50CC7D80

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 25.2.MSBuild.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                            Source: 16.2.cmd.exe.62100c8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                            Source: 16.2.cmd.exe.62100c8.6.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                            Source: 23.2.cmd.exe.51000c8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                            Source: 23.2.cmd.exe.51000c8.6.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\nxscuox, type: DROPPEDMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\oby, type: DROPPEDMatched rule: Detects Arechclient2 RAT Author: ditekSHen
                            PE file has a writeable .text section
                            Source: ISRT.dll.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess Stats: CPU usage > 6%
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF191AD04_2_00007FF6EF191AD0
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF19CC644_2_00007FF6EF19CC64
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF19FCE44_2_00007FF6EF19FCE4
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF19F11C4_2_00007FF6EF19F11C
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF1A42FC4_2_00007FF6EF1A42FC
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF19D3084_2_00007FF6EF19D308
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF1942304_2_00007FF6EF194230
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF194E104_2_00007FF6EF194E10
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CC410014_2_50CC4100
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0338AB5021_2_0338AB50
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0338920021_2_03389200
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0338188E21_2_0338188E
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_03384B3421_2_03384B34
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0338AB4021_2_0338AB40
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0338CA7321_2_0338CA73
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_03386AB421_2_03386AB4
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_03386AD821_2_03386AD8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0338CAC021_2_0338CAC0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_033891F121_2_033891F1
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0338506B21_2_0338506B
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_033850B821_2_033850B8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0687E40821_2_0687E408
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_068726C021_2_068726C0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_068726D021_2_068726D0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0687660821_2_06876608
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06877E3021_2_06877E30
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0687639321_2_06876393
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0687D7AD21_2_0687D7AD
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_068737EB21_2_068737EB
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_068737F821_2_068737F8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06873F0F21_2_06873F0F
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06876B1021_2_06876B10
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06873F2021_2_06873F20
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0687634821_2_06876348
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0687635821_2_06876358
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06870C0021_2_06870C00
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0687903021_2_06879030
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0687904021_2_06879040
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0687A1B321_2_0687A1B3
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0687A1C021_2_0687A1C0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06874DCF21_2_06874DCF
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06874DE021_2_06874DE0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0687050821_2_06870508
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF6A6021_2_06FF6A60
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF225021_2_06FF2250
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FFAE5021_2_06FFAE50
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF3BF821_2_06FF3BF8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FFC3D821_2_06FFC3D8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FFB72821_2_06FFB728
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF98F021_2_06FF98F0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF18B821_2_06FF18B8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF4C8821_2_06FF4C88
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FFA92821_2_06FFA928
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FFD10821_2_06FFD108
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF5A9021_2_06FF5A90
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF2E9021_2_06FF2E90
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF2E7F21_2_06FF2E7F
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF5A7321_2_06FF5A73
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FFAE3621_2_06FFAE36
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF47B021_2_06FF47B0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF47A021_2_06FF47A0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FFB71921_2_06FFB719
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF770221_2_06FF7702
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FFD0FB21_2_06FFD0FB
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF98E021_2_06FF98E0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF18A821_2_06FF18A8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF6C9021_2_06FF6C90
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF6C8221_2_06FF6C82
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF4C7921_2_06FF4C79
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FFA91821_2_06FFA918
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0715CF0821_2_0715CF08
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_07152FD021_2_07152FD0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_07157FEB21_2_07157FEB
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0715C6F021_2_0715C6F0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0715054E21_2_0715054E
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_071521EF21_2_071521EF
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0715004021_2_07150040
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_071514B821_2_071514B8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0715F0D021_2_0715F0D0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0715DF7821_2_0715DF78
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0715DF6821_2_0715DF68
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0715381821_2_07153818
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0715000621_2_07150006
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0715F0C021_2_0715F0C0
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0773876821_2_07738768
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_07731FF621_2_07731FF6
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0773C78021_2_0773C780
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_07736B1821_2_07736B18
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_07739A7821_2_07739A78
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0773713821_2_07737138
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0773C77221_2_0773C772
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_07736B0921_2_07736B09
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_07739A6A21_2_07739A6A
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0773A93021_2_0773A930
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0773712821_2_07737128
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0773B1C821_2_0773B1C8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_0773B1B821_2_0773B1B8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06870C1021_2_06870C10
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 25_2_0181188E25_2_0181188E
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 25_2_018150B125_2_018150B1
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 25_2_018150B825_2_018150B8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 25_2_0181801325_2_01818013
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 25_2_0181506B25_2_0181506B
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 25_2_01814B3425_2_01814B34
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 25_2_01816AB425_2_01816AB4
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 25_2_01816AD825_2_01816AD8
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\MSIEBB5.tmp B8FA7AA425E4084EA3721780A13D11E08B8D53D1C5414B73F22FAECA1BFD314F
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\MSIF1FF.tmp 87517950F76654DD6F807E889CA48A7DC4FA8E99A206FE19299B1359A7205430
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nxscuox 96BA74CC27B44547D23FE1FA550FC59B4F340DBBCA8472D9B4698576751BB189
                            Source: MSIF1FF.tmp.0.drStatic PE information: Resource name: PUBLICKEY type: b.out overlay separate pure segmented executable V2.3 186 286 286 386 Large Text Large Data Huge Objects Enabled
                            Source: RoboTaskLite.exe.14.drStatic PE information: Number of sections : 11 > 10
                            Source: RoboTaskLite.exe.2.drStatic PE information: Number of sections : 11 > 10
                            Source: WNBOZYUN.msiBinary or memory string: OriginalFilename_IsIcoRes.exe< vs WNBOZYUN.msi
                            Source: WNBOZYUN.msiBinary or memory string: OriginalFilenameSFHelper.dll vs WNBOZYUN.msi
                            Source: WNBOZYUN.msiBinary or memory string: OriginalFilenameSetAllUsers.dll< vs WNBOZYUN.msi
                            Source: WNBOZYUN.msiBinary or memory string: OriginalFilename vs WNBOZYUN.msi
                            Source: WNBOZYUN.msiBinary or memory string: OriginalFilenameRoboTaskLite.exe2 vs WNBOZYUN.msi
                            Source: 25.2.MSBuild.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                            Source: 16.2.cmd.exe.62100c8.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                            Source: 16.2.cmd.exe.62100c8.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                            Source: 23.2.cmd.exe.51000c8.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                            Source: 23.2.cmd.exe.51000c8.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                            Source: C:\Users\user\AppData\Local\Temp\nxscuox, type: DROPPEDMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                            Source: C:\Users\user\AppData\Local\Temp\oby, type: DROPPEDMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
                            Source: ISRT.dll.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Source: ISRT.dll.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            Source: 16.2.cmd.exe.62100c8.6.raw.unpack, -Module-.csCryptographic APIs: 'CreateDecryptor'
                            Source: 23.2.cmd.exe.51000c8.6.raw.unpack, -Module-.csCryptographic APIs: 'CreateDecryptor'
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@37/48@0/1
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CC30FC GetLastError,FormatMessageW,@System@@UStrFromWArray$qqrr20System@UnicodeStringpbi,@System@Classes@EOutOfResources@,@System@Sysutils@Exception@$bctr$qqrx20System@UnicodeString,@System@@RaiseExcept$qqrv,@System@@UStrClr$qqrpv,14_2_50CC30FC
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF193140 CoCreateInstance,4_2_00007FF6EF193140
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF195870 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,4_2_00007FF6EF195870
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeFile created: C:\Users\user\AppData\Roaming\ServiceValid_testv2Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9060:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8292:304:WilStaging_02
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9060:304:WilStaging_02
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\7f66e01a92e141d4a55aa3c62fd91510
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEBB5.tmpJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\IsConfig.iniJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: WNBOZYUN.msiVirustotal: Detection: 8%
                            Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\WNBOZYUN.msi"
                            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CF32977746E218EEEDE7CA2544B2F355 C
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AA76FFC7-070F-48AA-A57E-E6EA04FB65AC}
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{92500C82-953F-402F-B6F9-789DEC6E960E}
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1E9B171B-8544-422E-9E42-CEF439811C75}
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{715C38EC-9C71-4312-AEB8-36B923691B1B}
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{18A2E0DE-C8B0-4F09-8999-BC6F4666FB02}
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A1B3A247-9AAE-4F1C-8301-F31840EC13D8}
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{27C98D69-B6ED-4325-8361-1D393661067B}
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{740CDDF4-C0DD-4B2A-84ED-1DFE4BAB4319}
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exe C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exe
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeProcess created: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exe C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exe
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exe "C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exe"
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CF32977746E218EEEDE7CA2544B2F355 CJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AA76FFC7-070F-48AA-A57E-E6EA04FB65AC}Jump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{92500C82-953F-402F-B6F9-789DEC6E960E}Jump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1E9B171B-8544-422E-9E42-CEF439811C75}Jump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{715C38EC-9C71-4312-AEB8-36B923691B1B}Jump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{18A2E0DE-C8B0-4F09-8999-BC6F4666FB02}Jump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A1B3A247-9AAE-4F1C-8301-F31840EC13D8}Jump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{27C98D69-B6ED-4325-8361-1D393661067B}Jump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{740CDDF4-C0DD-4B2A-84ED-1DFE4BAB4319}Jump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{715C38EC-9C71-4312-AEB8-36B923691B1B}Jump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{18A2E0DE-C8B0-4F09-8999-BC6F4666FB02}Jump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exe C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeProcess created: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exe C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: dwmapi.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: riched32.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: riched20.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: usp10.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msls31.dllJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: shfolder.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: oleacc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: oledlg.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: wsock32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: dbghelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: pla.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: pdh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: tdh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: cabinet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: wevtapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: shdocvw.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: shfolder.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: oleacc.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: oledlg.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: wsock32.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: dbghelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: pla.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: pdh.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: tdh.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: cabinet.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: wevtapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: shdocvw.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edgegdi.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: mpr.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: wininet.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: shfolder.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: oleacc.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: wsock32.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: oledlg.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: edgegdi.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: dbghelp.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: pla.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: pdh.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: tdh.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: cabinet.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: wevtapi.dll
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: shdocvw.dll
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dll
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edgegdi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edgegdi.dll
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
                            Source: isrukqkpdcqxgy.16.drLNK file: ..\..\Roaming\ServiceValid_testv2\RoboTaskLite.exe
                            Source: C:\Windows\SysWOW64\msiexec.exeFile written: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\IsConfig.iniJump to behavior
                            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLLJump to behavior
                            Source: WNBOZYUN.msiStatic file information: File size 24659924 > 1048576
                            Source: Binary string: System.Windows.Forms.pdb source: MSBuild.exe, 00000019.00000002.2321176638.000000007125B000.00000020.00000001.01000000.00000012.sdmp
                            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: MSBuild.exe, 00000019.00000002.2321176638.000000007125B000.00000020.00000001.01000000.00000012.sdmp
                            Source: Binary string: System.Windows.Forms.ni.pdb source: MSBuild.exe, 00000019.00000002.2321176638.000000007125B000.00000020.00000001.01000000.00000012.sdmp
                            Source: Binary string: System.Drawing.pdb source: MSBuild.exe, 00000019.00000002.2335553294.000000007143B000.00000020.00000001.01000000.00000011.sdmp
                            Source: Binary string: wntdll.pdbUGP source: RoboTaskLite.exe, 0000000E.00000002.1699269189.00000000097F6000.00000004.00000020.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000002.1699979016.0000000009B50000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1993896260.000000000538E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994753374.0000000005860000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2316206132.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315110494.000000000475D000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Drawing.ni.pdb source: MSBuild.exe, 00000019.00000002.2335553294.000000007143B000.00000020.00000001.01000000.00000011.sdmp
                            Source: Binary string: wntdll.pdb source: RoboTaskLite.exe, 0000000E.00000002.1699269189.00000000097F6000.00000004.00000020.00020000.00000000.sdmp, RoboTaskLite.exe, 0000000E.00000002.1699979016.0000000009B50000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1993896260.000000000538E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1994753374.0000000005860000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2316206132.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2315110494.000000000475D000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Drawing.ni.pdbRSDS source: MSBuild.exe, 00000019.00000002.2335553294.000000007143B000.00000020.00000001.01000000.00000011.sdmp
                            Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000004.00000002.1675618110.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000004.00000000.1672941239.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000002.1676258702.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000000.1673719563.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000002.1676806540.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000000.1674488757.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000002.1677304517.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000000.1675280936.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000000.1676072102.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000002.1678032706.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000002.1697859923.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000000.1677296572.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000002.1680040069.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000000.1677919117.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000002.1681197813.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000000.1678535284.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000000.1679171611.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000002.1682063704.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000D.00000002.1682934777.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000D.00000000.1679901810.00007FF6EF1A7000.00000002.00000001.01000000.00000003.sdmp
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF196930 SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,4_2_00007FF6EF196930
                            Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
                            Source: vcl280.bpl.14.drStatic PE information: real checksum: 0x405dec should be: 0x403876
                            Source: vcl280.bpl.2.drStatic PE information: real checksum: 0x405dec should be: 0x403876
                            Source: MSIF1FF.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x28b162
                            Source: nxscuox.23.drStatic PE information: real checksum: 0x0 should be: 0xc48fd
                            Source: oby.16.drStatic PE information: real checksum: 0x0 should be: 0xc48fd
                            Source: _isres_0x0409.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x1c5ec2
                            Source: MSIF1FF.tmp.0.drStatic PE information: section name: .orpc
                            Source: RoboTaskLite.exe.2.drStatic PE information: section name: .didata
                            Source: rtl280.bpl.2.drStatic PE information: section name: .didata
                            Source: vcl280.bpl.2.drStatic PE information: section name: .didata
                            Source: RoboTaskLite.exe.14.drStatic PE information: section name: .didata
                            Source: rtl280.bpl.14.drStatic PE information: section name: .didata
                            Source: vcl280.bpl.14.drStatic PE information: section name: .didata
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CCE008 push ecx; mov dword ptr [esp], eax14_2_50CCE009
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB89D8 push eax; retn 00FEh14_2_50CB89EC
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB81D8 push eax; retn 00FFh14_2_50CB81EC
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB81E8 push eax; retn 00FFh14_2_50CB81EC
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB89E8 push eax; retn 00FEh14_2_50CB89EC
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB89E0 push eax; retn 00FEh14_2_50CB89EC
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB81E0 push eax; retn 00FFh14_2_50CB81EC
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB81F0 push eax; ret 14_2_50CB81F4
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB89F0 push eax; ret 14_2_50CB89F4
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8248 push eax; iretd 14_2_50CB8254
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8A48 push eax; iretd 14_2_50CB8A54
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8240 push eax; iretd 14_2_50CB8254
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8A40 push eax; iretd 14_2_50CB8A54
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8250 push eax; iretd 14_2_50CB8254
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8A50 push eax; iretd 14_2_50CB8A54
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8218 push eax; retf 00FFh14_2_50CB822C
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8A18 push eax; retf 00FEh14_2_50CB8A2C
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8A28 push eax; retf 00FEh14_2_50CB8A2C
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8228 push eax; retf 00FFh14_2_50CB822C
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8A20 push eax; retf 00FEh14_2_50CB8A2C
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8220 push eax; retf 00FFh14_2_50CB822C
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8A38 push eax; iretd 14_2_50CB8A54
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8238 push eax; iretd 14_2_50CB8254
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8A30 push eax; retf 14_2_50CB8A34
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8230 push eax; retf 14_2_50CB8234
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CC2C68 push ecx; mov dword ptr [esp], ecx14_2_50CC2C6C
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CCD5EC push ecx; mov dword ptr [esp], ecx14_2_50CCD5EF
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CC25A8 push ecx; mov dword ptr [esp], edx14_2_50CC25AA
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CC66E8 push ecx; mov dword ptr [esp], edx14_2_50CC66EA
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CC26BC push ecx; mov dword ptr [esp], edx14_2_50CC26BE
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB9EBC push 4050CB9Eh; retf 50F3h14_2_50CB9ECE
                            Source: ISRT.dll.2.drStatic PE information: section name: .text entropy: 7.9838191086194135
                            Source: oby.16.drStatic PE information: section name: .text entropy: 6.942798527099518
                            Source: nxscuox.23.drStatic PE information: section name: .text entropy: 6.942798527099518
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\obyJump to dropped file
                            Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeFile created: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\rtl280.bplJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeFile created: C:\Users\user\AppData\Roaming\ServiceValid_testv2\rtl280.bplJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\nxscuoxJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeFile created: C:\Users\user\AppData\Roaming\ServiceValid_testv2\vcl280.bplJump to dropped file
                            Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\_isres_0x0409.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF1FF.tmpJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEBB5.tmpJump to dropped file
                            Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeJump to dropped file
                            Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\vcl280.bplJump to dropped file
                            Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISRT.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\rtl280.bplJump to dropped file
                            Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\vcl280.bplJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeFile created: C:\Users\user\AppData\Roaming\ServiceValid_testv2\rtl280.bplJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeFile created: C:\Users\user\AppData\Roaming\ServiceValid_testv2\vcl280.bplJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\obyJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\nxscuoxJump to dropped file

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Found hidden mapped module (file has been removed from disk)
                            Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\OBY
                            Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NXSCUOX
                            Uses known network protocols on non-standard ports
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49721
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49723
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49724
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49725
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49726
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49727
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49728
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49729
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49730
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49731
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49732
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49733
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49734
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49735
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49736
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49737
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49738
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49739
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49740
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49741
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49742
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49743
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49744
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49745
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49746
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49747
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49748
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49749
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49750
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49751
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49752
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49753
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49754
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49755
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49756
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49757
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49758
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49759
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49760
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49761
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49762
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49763
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49764
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49765
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49766
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49767
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49768
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49769
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49770
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49771
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49772
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49773
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49774
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49775
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49776
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49777
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49778
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49779
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49780
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49781
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49782
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49783
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49784
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49785
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49786
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49787
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49788
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49789
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49790
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49791
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49792
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49793
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49794
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49795
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49796
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49797
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49798
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49799
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49800
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49801
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49802
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49803
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49804
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49805
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49806
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49807
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49808
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49810
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49812
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49813
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49814
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49814
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49815
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49816
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49817
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49818
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49819
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49820
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49822
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49824
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49825
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49826
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49827
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49828
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49830
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49831
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49834
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49836
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49838
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49842
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49843
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49844
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49847
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 9000
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9000 -> 49850
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF19CC64 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00007FF6EF19CC64
                            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Switches to a custom stack to bypass stack traces
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeAPI/Special instruction interceptor: Address: 6BF07C44
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeAPI/Special instruction interceptor: Address: 6BF07C44
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeAPI/Special instruction interceptor: Address: 6BF07945
                            Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6BF03B54
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeAPI/Special instruction interceptor: Address: 6A997C44
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeAPI/Special instruction interceptor: Address: 6A997945
                            Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6A993B54
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 34E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1810000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3050000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 5050000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB9060 sldt word ptr [eax]14_2_50CB9060
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 9930Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\obyJump to dropped file
                            Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nxscuoxJump to dropped file
                            Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\_isres_0x0409.dllJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF1FF.tmpJump to dropped file
                            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIEBB5.tmpJump to dropped file
                            Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISRT.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_4-8621
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_4-8742
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry key enumerated: More than 210 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8824Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8824Thread sleep time: -60000s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8692Thread sleep time: -44095s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8824Thread sleep time: -59890s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8692Thread sleep time: -37789s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8824Thread sleep time: -59781s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8692Thread sleep time: -48654s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8824Thread sleep time: -59671s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8692Thread sleep time: -39247s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8692Thread sleep time: -33755s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8692Thread sleep time: -48240s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8692Thread sleep time: -38142s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8692Thread sleep time: -59990s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8692Thread sleep time: -51428s >= -30000sJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2744Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 60000Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 44095Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59890Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37789Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59781Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 48654Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59671Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 39247Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 33755Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 48240Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38142Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 59990Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 51428Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                            Source: cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                            Source: cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                            Source: cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                            Source: cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                            Source: cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                            Source: cmd.exe, 00000017.00000002.2315680145.0000000004AF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                            Source: MSBuild.exe, 00000015.00000002.2901864358.0000000001571000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: RoboTaskLite.exe, 0000000E.00000002.1700754233.0000000050051000.00000020.00000001.01000000.00000006.sdmpBinary or memory string: VirtualMachine
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeAPI call chain: ExitProcess graph end nodegraph_4-8622
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 21_2_06FF65E8 LdrInitializeThunk,21_2_06FF65E8
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF19D098 IsDebuggerPresent,4_2_00007FF6EF19D098
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF1A3008 EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,4_2_00007FF6EF1A3008
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF196930 SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,4_2_00007FF6EF196930
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF19CAE4 GetProcessHeap,4_2_00007FF6EF19CAE4
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF19DCD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF6EF19DCD4
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF1A07D8 SetUnhandledExceptionFilter,4_2_00007FF6EF1A07D8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Found direct / indirect Syscall (likely to bypass EDR)
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeNtProtectVirtualMemory: Direct from: 0x6BE54096Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeNtQuerySystemInformation: Direct from: 0x50CB71C0
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeNtProtectVirtualMemory: Direct from: 0x778D7A4EJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeNtProtectVirtualMemory: Direct from: 0x6BF0F932
                            Maps a DLL or memory area into another process
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read writeJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write
                            Writes to foreign memory regions
                            Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6ACA1000Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1073008Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6ACA1000
                            Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: CB7008
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                            Source: C:\Users\user\AppData\Roaming\ServiceValid_testv2\RoboTaskLite.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\{F8562070-9974-4B8E-BAB8-308A662C9869}\ISBEW64.exeCode function: 4_2_00007FF6EF1A1128 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_00007FF6EF1A1128
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: 25.2.MSBuild.exe.f00000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.cmd.exe.62100c8.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.cmd.exe.62100c8.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.cmd.exe.51000c8.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.cmd.exe.51000c8.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000017.00000002.2316820013.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.1995781637.0000000006210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000019.00000002.2314418981.0000000000F02000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 8284, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8688, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 9048, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 9176, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nxscuox, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\oby, type: DROPPED
                            Yara detected SectopRAT
                            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8688, type: MEMORYSTR
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqliteJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                            Tries to steal Crypto Currency Wallets
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                            Source: Yara matchFile source: 25.2.MSBuild.exe.f00000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.cmd.exe.62100c8.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.cmd.exe.62100c8.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.cmd.exe.51000c8.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.cmd.exe.51000c8.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000017.00000002.2316820013.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.1995781637.0000000006210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000019.00000002.2314418981.0000000000F02000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 8284, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8688, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 9048, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 9176, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nxscuox, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\oby, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: 25.2.MSBuild.exe.f00000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.cmd.exe.62100c8.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.cmd.exe.62100c8.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.cmd.exe.51000c8.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 23.2.cmd.exe.51000c8.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000017.00000002.2316820013.0000000005100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.1995781637.0000000006210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000019.00000002.2314418981.0000000000F02000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 8284, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8688, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 9048, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 9176, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nxscuox, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\oby, type: DROPPED
                            Yara detected SectopRAT
                            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8688, type: MEMORYSTR
                            Source: C:\Users\user\AppData\Local\Temp\{EE8A0717-C2AE-4188-8BEC-631BE53427B8}\RoboTaskLite.exeCode function: 14_2_50CB8080 @Vcl@Consts@_SInvalidTabIndex,@Vcl@Consts@_SInvalidTabStyle,@Vcl@Consts@_SInvalidBitmap,14_2_50CB8080

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire Infrastructure1
                            Replication Through Removable Media                            		221
                            Windows Management Instrumentation                            		11
                            DLL Side-Loading                            		1
                            Abuse Elevation Control Mechanism                            		1
                            Disable or Modify Tools                            		1
                            OS Credential Dumping                            		1
                            System Time Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts2
                            Native API                            		Boot or Logon Initialization Scripts11
                            DLL Side-Loading                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory11
                            Peripheral Device Discovery                            		Remote Desktop Protocol2
                            Data from Local System                            		22
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)211
                            Process Injection                            		1
                            Abuse Elevation Control Mechanism                            		Security Account Manager2
                            File and Directory Discovery                            		SMB/Windows Admin Shares2
                            Clipboard Data                            		11
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                            Obfuscated Files or Information                            		NTDS225
                            System Information Discovery                            		Distributed Component Object ModelInput Capture1
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                            Software Packing                            		LSA Secrets351
                            Security Software Discovery                            		SSHKeylogging2
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                            DLL Side-Loading                            		Cached Domain Credentials11
                            Process Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                            Masquerading                            		DCSync251
                            Virtualization/Sandbox Evasion                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job251
                            Virtualization/Sandbox Evasion                            		Proc Filesystem1
                            Application Window Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt211
                            Process Injection                            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1626773 Sample: WNBOZYUN.msi Startdate: 28/02/2025 Architecture: WINDOWS Score: 100 75 Suricata IDS alerts for network traffic 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for dropped file 2->79 81 7 other signatures 2->81 10 msiexec.exe 2->10         started        12 RoboTaskLite.exe 2->12         started        15 msiexec.exe 7 2->15         started        process3 file4 18 msiexec.exe 55 10->18         started        105 Maps a DLL or memory area into another process 12->105 107 Found direct / indirect Syscall (likely to bypass EDR) 12->107 21 cmd.exe 12->21         started        69 C:\Users\user\AppData\Local\...\MSIF1FF.tmp, PE32 15->69 dropped 71 C:\Users\user\AppData\Local\...\MSIEBB5.tmp, PE32 15->71 dropped signatures5 process6 file7 51 C:\Users\user\AppData\...\_isres_0x0409.dll, PE32 18->51 dropped 53 C:\Users\user\AppData\Local\Temp\...\ISRT.dll, PE32 18->53 dropped 55 C:\Users\user\AppData\Local\...\ISBEW64.exe, PE32+ 18->55 dropped 59 3 other malicious files 18->59 dropped 24 RoboTaskLite.exe 6 18->24         started        28 ISBEW64.exe 18->28         started        30 ISBEW64.exe 18->30         started        36 8 other processes 18->36 57 C:\Users\user\AppData\Local\Temp\nxscuox, PE32 21->57 dropped 83 Writes to foreign memory regions 21->83 85 Maps a DLL or memory area into another process 21->85 32 conhost.exe 21->32         started        34 MSBuild.exe 21->34         started        signatures8 process9 file10 61 C:\Users\user\AppData\Roaming\...\vcl280.bpl, PE32 24->61 dropped 63 C:\Users\user\AppData\Roaming\...\rtl280.bpl, PE32 24->63 dropped 65 C:\Users\user\AppData\...\RoboTaskLite.exe, PE32 24->65 dropped 93 Switches to a custom stack to bypass stack traces 24->93 95 Found direct / indirect Syscall (likely to bypass EDR) 24->95 38 RoboTaskLite.exe 1 24->38         started        signatures11 process12 signatures13 87 Maps a DLL or memory area into another process 38->87 89 Switches to a custom stack to bypass stack traces 38->89 91 Found direct / indirect Syscall (likely to bypass EDR) 38->91 41 cmd.exe 4 38->41         started        process14 file15 67 C:\Users\user\AppData\Local\Temp\oby, PE32 41->67 dropped 97 Writes to foreign memory regions 41->97 99 Found hidden mapped module (file has been removed from disk) 41->99 101 Maps a DLL or memory area into another process 41->101 103 Switches to a custom stack to bypass stack traces 41->103 45 MSBuild.exe 15 28 41->45         started        49 conhost.exe 41->49         started        signatures16 process17 dnsIp18 73 92.255.85.23, 15847, 49720, 49721 SOVTEL-ASRU Russian Federation 45->73 109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->109 111 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->111 113 Tries to harvest and steal browser information (history, passwords, etc) 45->113 115 Tries to steal Crypto Currency Wallets 45->115 signatures19

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.