Edit tour

Windows Analysis Report
GELEPLLV.msi

Overview

General Information

Sample name:	GELEPLLV.msi
Analysis ID:	1629534
MD5:	1044cd6af25675680ec37008fa8469f9
SHA1:	9517f01fd4933aec4a0e8b885653cf7cf36bdd2e
SHA256:	345f2791ba1e227504d337c775992e294dc889fc9930bfcf7a213b5748ecf802
Tags:	msiuser-1ZRR4H
Infos:

Detection

RedLine, SectopRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

Yara detected RedLine Stealer

Yara detected SectopRAT

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

PE file has a writeable .text section

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Is looking for software installed on the system

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7564 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\GELEPLLV.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7596 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7640 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 721F7157EC60ED4BDE0DFCD92E791EEC C MD5: 9D09DC1EDA745A5F87553048E57620CF)

ISBEW64.exe (PID: 7692 cmdline: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E83174FE-C665-465A-A362-97A8557AEF45} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 7724 cmdline: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C7269B72-A4F4-4A43-AD82-18F3A8EDEB2E} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 7756 cmdline: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E0BC4BB7-F4AD-4186-90AB-E1483A5D8CF4} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 7804 cmdline: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F96A5C8A-D5FB-4FF8-A586-B8E8188D2794} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 7836 cmdline: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{02392C44-6D1B-487E-A493-44C3EC06AA27} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 7876 cmdline: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C246B97D-1770-433A-A54B-78C6BB3E25A3} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 7920 cmdline: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9A403955-82B3-4C45-BC39-9961952DDF3C} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 7952 cmdline: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{28E1C0CE-7C15-4622-AE11-9EABAAF98FF8} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 7984 cmdline: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{36385D1D-E9F1-44EB-B7AF-C3D9BCFE6308} MD5: 40F3A092744E46F3531A40B917CCA81E)

ISBEW64.exe (PID: 8016 cmdline: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{129B1CD9-B0F3-479E-B4D1-596CC8169910} MD5: 40F3A092744E46F3531A40B917CCA81E)

SplashWin.exe (PID: 8052 cmdline: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe MD5: 4D20B83562EEC3660E45027AD56FB444)

SplashWin.exe (PID: 8076 cmdline: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe MD5: 4D20B83562EEC3660E45027AD56FB444)

cmd.exe (PID: 8116 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7728 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

SplashWin.exe (PID: 7960 cmdline: "C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe" MD5: 4D20B83562EEC3660E45027AD56FB444)

cmd.exe (PID: 7952 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 2720 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\igbbbmfix	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\igbbbmfix	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\igbbbmfix	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xbe9c7:$s14: keybd_event 0xc5bb3:$v1_1: grabber@ 0xbf51f:$v1_2: <BrowserProfile>k__ 0xbff9e:$v1_3: <SystemHardwares>k__ 0xc005d:$v1_5: <ScannedWallets>k__ 0xc00ed:$v1_6: <DicrFiles>k__ 0xc00c9:$v1_7: <MessageClientFiles>k__ 0xc0493:$v1_8: <ScanBrowsers>k__BackingField 0xc04e5:$v1_8: <ScanWallets>k__BackingField 0xc0502:$v1_8: <ScanScreen>k__BackingField 0xc053c:$v1_8: <ScanVPN>k__BackingField 0xb17ea:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xb10f6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\hxyamwavxtmtm	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\hxyamwavxtmtm	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\hxyamwavxtmtm	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xbe9c7:$s14: keybd_event 0xc5bb3:$v1_1: grabber@ 0xbf51f:$v1_2: <BrowserProfile>k__ 0xbff9e:$v1_3: <SystemHardwares>k__ 0xc005d:$v1_5: <ScannedWallets>k__ 0xc00ed:$v1_6: <DicrFiles>k__ 0xc00c9:$v1_7: <MessageClientFiles>k__ 0xc0493:$v1_8: <ScanBrowsers>k__BackingField 0xc04e5:$v1_8: <ScanWallets>k__BackingField 0xc0502:$v1_8: <ScanScreen>k__BackingField 0xc053c:$v1_8: <ScanVPN>k__BackingField 0xb17ea:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xb10f6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.2012956923.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2012956923.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000019.00000002.2304532163.0000000004F80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000002.2304532163.0000000004F80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001C.00000002.2303821346.0000000000902000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001C.00000002.2303821346.0000000000902000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: cmd.exe PID: 8116	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 8116	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7728	JoeSecurity_SectopRAT	Yara detected SectopRAT	Joe Security
Process Memory Space: cmd.exe PID: 7952	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 7952	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 2720	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 2720	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
25.2.cmd.exe.4f800c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
25.2.cmd.exe.4f800c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
25.2.cmd.exe.4f800c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xbcbc7:$s14: keybd_event 0xc3db3:$v1_1: grabber@ 0xbd71f:$v1_2: <BrowserProfile>k__ 0xbe19e:$v1_3: <SystemHardwares>k__ 0xbe25d:$v1_5: <ScannedWallets>k__ 0xbe2ed:$v1_6: <DicrFiles>k__ 0xbe2c9:$v1_7: <MessageClientFiles>k__ 0xbe693:$v1_8: <ScanBrowsers>k__BackingField 0xbe6e5:$v1_8: <ScanWallets>k__BackingField 0xbe702:$v1_8: <ScanScreen>k__BackingField 0xbe73c:$v1_8: <ScanVPN>k__BackingField 0xaf9ea:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xaf2f6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
15.2.cmd.exe.5df00c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.cmd.exe.5df00c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.cmd.exe.5df00c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xbcbc7:$s14: keybd_event 0xc3db3:$v1_1: grabber@ 0xbd71f:$v1_2: <BrowserProfile>k__ 0xbe19e:$v1_3: <SystemHardwares>k__ 0xbe25d:$v1_5: <ScannedWallets>k__ 0xbe2ed:$v1_6: <DicrFiles>k__ 0xbe2c9:$v1_7: <MessageClientFiles>k__ 0xbe693:$v1_8: <ScanBrowsers>k__BackingField 0xbe6e5:$v1_8: <ScanWallets>k__BackingField 0xbe702:$v1_8: <ScanScreen>k__BackingField 0xbe73c:$v1_8: <ScanVPN>k__BackingField 0xaf9ea:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xaf2f6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
25.2.cmd.exe.4f800c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
25.2.cmd.exe.4f800c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
25.2.cmd.exe.4f800c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xbe9c7:$s14: keybd_event 0xc5bb3:$v1_1: grabber@ 0xbf51f:$v1_2: <BrowserProfile>k__ 0xbff9e:$v1_3: <SystemHardwares>k__ 0xc005d:$v1_5: <ScannedWallets>k__ 0xc00ed:$v1_6: <DicrFiles>k__ 0xc00c9:$v1_7: <MessageClientFiles>k__ 0xc0493:$v1_8: <ScanBrowsers>k__BackingField 0xc04e5:$v1_8: <ScanWallets>k__BackingField 0xc0502:$v1_8: <ScanScreen>k__BackingField 0xc053c:$v1_8: <ScanVPN>k__BackingField 0xb17ea:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xb10f6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
28.2.MSBuild.exe.900000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
28.2.MSBuild.exe.900000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
28.2.MSBuild.exe.900000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xbe9c7:$s14: keybd_event 0xc5bb3:$v1_1: grabber@ 0xbf51f:$v1_2: <BrowserProfile>k__ 0xbff9e:$v1_3: <SystemHardwares>k__ 0xc005d:$v1_5: <ScannedWallets>k__ 0xc00ed:$v1_6: <DicrFiles>k__ 0xc00c9:$v1_7: <MessageClientFiles>k__ 0xc0493:$v1_8: <ScanBrowsers>k__BackingField 0xc04e5:$v1_8: <ScanWallets>k__BackingField 0xc0502:$v1_8: <ScanScreen>k__BackingField 0xc053c:$v1_8: <ScanVPN>k__BackingField 0xb17ea:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xb10f6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
15.2.cmd.exe.5df00c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.cmd.exe.5df00c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.cmd.exe.5df00c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xbe9c7:$s14: keybd_event 0xc5bb3:$v1_1: grabber@ 0xbf51f:$v1_2: <BrowserProfile>k__ 0xbff9e:$v1_3: <SystemHardwares>k__ 0xc005d:$v1_5: <ScannedWallets>k__ 0xc00ed:$v1_6: <DicrFiles>k__ 0xc00c9:$v1_7: <MessageClientFiles>k__ 0xc0493:$v1_8: <ScanBrowsers>k__BackingField 0xc04e5:$v1_8: <ScanWallets>k__BackingField 0xc0502:$v1_8: <ScanScreen>k__BackingField 0xc053c:$v1_8: <ScanVPN>k__BackingField 0xb17ea:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xb10f6:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
Click to see the 10 entries

Suricata Signatures

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T21:00:53.125862+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49738	92.255.85.23	9000	TCP
2025-03-04T21:00:53.992956+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49739	92.255.85.23	9000	TCP
2025-03-04T21:00:54.818562+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49740	92.255.85.23	9000	TCP
2025-03-04T21:00:55.685988+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49741	92.255.85.23	9000	TCP
2025-03-04T21:00:56.531220+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49742	92.255.85.23	9000	TCP
2025-03-04T21:00:57.364440+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49743	92.255.85.23	9000	TCP
2025-03-04T21:00:58.217347+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49744	92.255.85.23	9000	TCP
2025-03-04T21:00:59.052545+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49745	92.255.85.23	9000	TCP
2025-03-04T21:00:59.899458+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49746	92.255.85.23	9000	TCP
2025-03-04T21:01:00.768461+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49747	92.255.85.23	9000	TCP
2025-03-04T21:01:01.597360+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49748	92.255.85.23	9000	TCP
2025-03-04T21:01:02.481607+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49749	92.255.85.23	9000	TCP
2025-03-04T21:01:03.301579+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49750	92.255.85.23	9000	TCP
2025-03-04T21:01:04.147483+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49751	92.255.85.23	9000	TCP
2025-03-04T21:01:05.061301+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49752	92.255.85.23	9000	TCP
2025-03-04T21:01:05.910054+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49753	92.255.85.23	9000	TCP
2025-03-04T21:01:06.746819+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49755	92.255.85.23	9000	TCP
2025-03-04T21:01:07.600463+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49756	92.255.85.23	9000	TCP
2025-03-04T21:01:08.448578+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49757	92.255.85.23	9000	TCP
2025-03-04T21:01:09.305983+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49758	92.255.85.23	9000	TCP
2025-03-04T21:01:10.340958+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49759	92.255.85.23	9000	TCP
2025-03-04T21:01:11.203721+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49762	92.255.85.23	9000	TCP
2025-03-04T21:01:12.144994+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49764	92.255.85.23	9000	TCP
2025-03-04T21:01:13.864713+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49766	92.255.85.23	9000	TCP
2025-03-04T21:01:14.791326+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49767	92.255.85.23	9000	TCP
2025-03-04T21:01:15.635987+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49769	92.255.85.23	9000	TCP
2025-03-04T21:01:16.486959+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49775	92.255.85.23	9000	TCP
2025-03-04T21:01:17.313331+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49781	92.255.85.23	9000	TCP
2025-03-04T21:01:18.151827+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49787	92.255.85.23	9000	TCP
2025-03-04T21:01:18.986712+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49793	92.255.85.23	9000	TCP
2025-03-04T21:01:19.808491+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49800	92.255.85.23	9000	TCP
2025-03-04T21:01:20.633362+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49806	92.255.85.23	9000	TCP
2025-03-04T21:01:21.483263+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49818	92.255.85.23	9000	TCP
2025-03-04T21:01:22.392623+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49825	92.255.85.23	9000	TCP
2025-03-04T21:01:23.359746+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49831	92.255.85.23	9000	TCP
2025-03-04T21:01:24.183641+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49843	92.255.85.23	9000	TCP
2025-03-04T21:01:25.019007+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49849	92.255.85.23	9000	TCP
2025-03-04T21:01:25.843355+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49856	92.255.85.23	9000	TCP
2025-03-04T21:01:26.678545+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49864	92.255.85.23	9000	TCP
2025-03-04T21:01:27.508822+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49870	92.255.85.23	9000	TCP
2025-03-04T21:01:28.373364+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49879	92.255.85.23	9000	TCP
2025-03-04T21:01:29.269973+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49887	92.255.85.23	9000	TCP
2025-03-04T21:01:30.091047+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49894	92.255.85.23	9000	TCP
2025-03-04T21:01:30.908381+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49900	92.255.85.23	9000	TCP
2025-03-04T21:01:31.755094+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49907	92.255.85.23	9000	TCP
2025-03-04T21:01:32.569458+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49917	92.255.85.23	9000	TCP
2025-03-04T21:01:33.399550+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49924	92.255.85.23	9000	TCP
2025-03-04T21:01:34.228163+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49930	92.255.85.23	9000	TCP
2025-03-04T21:01:35.045705+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49936	92.255.85.23	9000	TCP
2025-03-04T21:01:35.893556+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49941	92.255.85.23	9000	TCP
2025-03-04T21:01:36.769227+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49945	92.255.85.23	9000	TCP
2025-03-04T21:01:37.591532+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49950	92.255.85.23	9000	TCP
2025-03-04T21:01:38.454815+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49956	92.255.85.23	9000	TCP
2025-03-04T21:01:39.331700+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49961	92.255.85.23	9000	TCP
2025-03-04T21:01:40.166096+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49968	92.255.85.23	9000	TCP
2025-03-04T21:01:41.055824+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49974	92.255.85.23	9000	TCP
2025-03-04T21:01:41.865890+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49979	92.255.85.23	9000	TCP
2025-03-04T21:01:42.698684+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49986	92.255.85.23	9000	TCP
2025-03-04T21:01:43.525270+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49992	92.255.85.23	9000	TCP
2025-03-04T21:01:44.364609+0100	2052248	1	A Network Trojan was detected	192.168.2.4	49998	92.255.85.23	9000	TCP
2025-03-04T21:01:45.195987+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50004	92.255.85.23	9000	TCP
2025-03-04T21:01:46.006298+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50011	92.255.85.23	9000	TCP
2025-03-04T21:01:46.864899+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50017	92.255.85.23	9000	TCP
2025-03-04T21:01:47.680422+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50024	92.255.85.23	9000	TCP
2025-03-04T21:01:48.548834+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50028	92.255.85.23	9000	TCP
2025-03-04T21:01:49.405104+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50034	92.255.85.23	9000	TCP
2025-03-04T21:01:50.270021+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50040	92.255.85.23	9000	TCP
2025-03-04T21:01:51.113876+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50045	92.255.85.23	9000	TCP
2025-03-04T21:01:51.995822+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50051	92.255.85.23	9000	TCP
2025-03-04T21:01:52.835939+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50057	92.255.85.23	9000	TCP
2025-03-04T21:01:53.705533+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50063	92.255.85.23	9000	TCP
2025-03-04T21:01:54.527304+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50068	92.255.85.23	9000	TCP
2025-03-04T21:01:55.372954+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50074	92.255.85.23	9000	TCP
2025-03-04T21:01:56.234546+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50080	92.255.85.23	9000	TCP
2025-03-04T21:01:57.084907+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50086	92.255.85.23	9000	TCP
2025-03-04T21:01:57.905893+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50096	92.255.85.23	9000	TCP
2025-03-04T21:01:58.812127+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50103	92.255.85.23	9000	TCP
2025-03-04T21:01:59.669318+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50111	92.255.85.23	9000	TCP
2025-03-04T21:02:00.494517+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50116	92.255.85.23	9000	TCP
2025-03-04T21:02:01.303956+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50117	92.255.85.23	9000	TCP
2025-03-04T21:02:02.136998+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50118	92.255.85.23	9000	TCP
2025-03-04T21:02:02.974434+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50119	92.255.85.23	9000	TCP
2025-03-04T21:02:03.809105+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50120	92.255.85.23	9000	TCP
2025-03-04T21:02:04.695495+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50122	92.255.85.23	9000	TCP
2025-03-04T21:02:05.579963+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50123	92.255.85.23	9000	TCP
2025-03-04T21:02:06.420333+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50125	92.255.85.23	9000	TCP
2025-03-04T21:02:07.281534+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50126	92.255.85.23	9000	TCP
2025-03-04T21:02:08.135514+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50127	92.255.85.23	9000	TCP
2025-03-04T21:02:08.959539+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50132	92.255.85.23	9000	TCP
2025-03-04T21:02:09.772125+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50133	92.255.85.23	9000	TCP
2025-03-04T21:02:10.628530+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50136	92.255.85.23	9000	TCP
2025-03-04T21:02:11.479646+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50138	92.255.85.23	9000	TCP
2025-03-04T21:02:12.458611+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50141	92.255.85.23	9000	TCP
2025-03-04T21:02:13.303557+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50144	92.255.85.23	9000	TCP
2025-03-04T21:02:14.129687+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50145	92.255.85.23	9000	TCP
2025-03-04T21:02:14.967991+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50146	92.255.85.23	9000	TCP
2025-03-04T21:02:15.787862+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50147	92.255.85.23	9000	TCP
2025-03-04T21:02:16.614641+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50148	92.255.85.23	9000	TCP
2025-03-04T21:02:17.449428+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50149	92.255.85.23	9000	TCP
2025-03-04T21:02:18.279892+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50150	92.255.85.23	9000	TCP
2025-03-04T21:02:19.100694+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50152	92.255.85.23	9000	TCP
2025-03-04T21:02:19.946065+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50153	92.255.85.23	9000	TCP
2025-03-04T21:02:20.928682+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50154	92.255.85.23	9000	TCP
2025-03-04T21:02:21.803026+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50156	92.255.85.23	9000	TCP
2025-03-04T21:02:22.623599+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50157	92.255.85.23	9000	TCP
2025-03-04T21:02:23.507620+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50158	92.255.85.23	9000	TCP
2025-03-04T21:02:24.329036+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50159	92.255.85.23	9000	TCP
2025-03-04T21:02:25.207802+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50160	92.255.85.23	9000	TCP
2025-03-04T21:02:26.062464+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50161	92.255.85.23	9000	TCP
2025-03-04T21:02:26.899754+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50162	92.255.85.23	9000	TCP
2025-03-04T21:02:27.736411+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50163	92.255.85.23	9000	TCP
2025-03-04T21:02:28.659434+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50164	92.255.85.23	9000	TCP
2025-03-04T21:02:29.500471+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50165	92.255.85.23	9000	TCP
2025-03-04T21:02:30.345077+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50166	92.255.85.23	9000	TCP
2025-03-04T21:02:31.169714+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50167	92.255.85.23	9000	TCP
2025-03-04T21:02:32.062033+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50168	92.255.85.23	9000	TCP
2025-03-04T21:02:32.900724+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50169	92.255.85.23	9000	TCP
2025-03-04T21:02:33.716349+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50170	92.255.85.23	9000	TCP
2025-03-04T21:02:34.570364+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50171	92.255.85.23	9000	TCP
2025-03-04T21:02:35.475026+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50172	92.255.85.23	9000	TCP
2025-03-04T21:02:36.358069+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50173	92.255.85.23	9000	TCP
2025-03-04T21:02:37.207579+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50174	92.255.85.23	9000	TCP
2025-03-04T21:02:38.054914+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50175	92.255.85.23	9000	TCP
2025-03-04T21:02:38.908948+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50176	92.255.85.23	9000	TCP
2025-03-04T21:02:39.812270+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50177	92.255.85.23	9000	TCP
2025-03-04T21:02:40.630142+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50179	92.255.85.23	9000	TCP
2025-03-04T21:02:41.455623+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50180	92.255.85.23	9000	TCP
2025-03-04T21:02:42.311385+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50181	92.255.85.23	9000	TCP
2025-03-04T21:02:43.179215+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50182	92.255.85.23	9000	TCP
2025-03-04T21:02:44.046659+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50183	92.255.85.23	9000	TCP
2025-03-04T21:02:44.897288+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50184	92.255.85.23	9000	TCP
2025-03-04T21:02:45.822529+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50185	92.255.85.23	9000	TCP
2025-03-04T21:02:46.932417+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50186	92.255.85.23	9000	TCP
2025-03-04T21:02:47.774908+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50187	92.255.85.23	9000	TCP
2025-03-04T21:02:48.592667+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50188	92.255.85.23	9000	TCP
2025-03-04T21:02:49.550099+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50189	92.255.85.23	9000	TCP
2025-03-04T21:02:50.675290+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50190	92.255.85.23	9000	TCP
2025-03-04T21:02:51.542170+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50192	92.255.85.23	9000	TCP
2025-03-04T21:02:52.451487+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50193	92.255.85.23	9000	TCP
2025-03-04T21:02:53.446969+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50194	92.255.85.23	9000	TCP
2025-03-04T21:02:54.266556+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50197	92.255.85.23	9000	TCP
2025-03-04T21:02:55.095852+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50198	92.255.85.23	9000	TCP
2025-03-04T21:02:55.960888+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50200	92.255.85.23	9000	TCP
2025-03-04T21:02:56.827925+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50201	92.255.85.23	9000	TCP
2025-03-04T21:02:57.661662+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50202	92.255.85.23	9000	TCP
2025-03-04T21:02:58.499341+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50203	92.255.85.23	9000	TCP
2025-03-04T21:02:59.367401+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50204	92.255.85.23	9000	TCP
2025-03-04T21:03:00.178904+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50205	92.255.85.23	9000	TCP
2025-03-04T21:03:01.019233+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50206	92.255.85.23	9000	TCP
2025-03-04T21:03:01.885143+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50207	92.255.85.23	9000	TCP
2025-03-04T21:03:02.709574+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50208	92.255.85.23	9000	TCP
2025-03-04T21:03:03.524943+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50210	92.255.85.23	9000	TCP
2025-03-04T21:03:04.390359+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50211	92.255.85.23	9000	TCP
2025-03-04T21:03:05.284387+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50212	92.255.85.23	9000	TCP
2025-03-04T21:03:06.145050+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50213	92.255.85.23	9000	TCP
2025-03-04T21:03:07.093308+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50214	92.255.85.23	9000	TCP
2025-03-04T21:03:07.944787+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50215	92.255.85.23	9000	TCP
2025-03-04T21:03:08.994494+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50217	92.255.85.23	9000	TCP
2025-03-04T21:03:09.811603+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50219	92.255.85.23	9000	TCP
2025-03-04T21:03:10.697639+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50221	92.255.85.23	9000	TCP
2025-03-04T21:03:11.515497+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50222	92.255.85.23	9000	TCP
2025-03-04T21:03:12.335430+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50223	92.255.85.23	9000	TCP
2025-03-04T21:03:13.272778+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50224	92.255.85.23	9000	TCP
2025-03-04T21:03:14.100728+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50225	92.255.85.23	9000	TCP
2025-03-04T21:03:14.946357+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50226	92.255.85.23	9000	TCP
2025-03-04T21:03:15.767687+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50227	92.255.85.23	9000	TCP
2025-03-04T21:03:16.622891+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50228	92.255.85.23	9000	TCP
2025-03-04T21:03:17.648588+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50229	92.255.85.23	9000	TCP
2025-03-04T21:03:18.520555+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50230	92.255.85.23	9000	TCP
2025-03-04T21:03:19.348572+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50231	92.255.85.23	9000	TCP
2025-03-04T21:03:20.193767+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50232	92.255.85.23	9000	TCP
2025-03-04T21:03:21.049770+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50233	92.255.85.23	9000	TCP
2025-03-04T21:03:21.885694+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50234	92.255.85.23	9000	TCP
2025-03-04T21:03:22.824144+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50235	92.255.85.23	9000	TCP
2025-03-04T21:03:23.696251+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50236	92.255.85.23	9000	TCP
2025-03-04T21:03:24.556032+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50237	92.255.85.23	9000	TCP
2025-03-04T21:03:25.394956+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50239	92.255.85.23	9000	TCP
2025-03-04T21:03:26.316474+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50240	92.255.85.23	9000	TCP
2025-03-04T21:03:27.155640+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50241	92.255.85.23	9000	TCP
2025-03-04T21:03:28.052179+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50242	92.255.85.23	9000	TCP
2025-03-04T21:03:29.063905+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50243	92.255.85.23	9000	TCP
2025-03-04T21:03:29.916329+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50244	92.255.85.23	9000	TCP
2025-03-04T21:03:30.768812+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50245	92.255.85.23	9000	TCP
2025-03-04T21:03:31.609283+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50247	92.255.85.23	9000	TCP
2025-03-04T21:03:32.456364+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50248	92.255.85.23	9000	TCP
2025-03-04T21:03:33.309679+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50249	92.255.85.23	9000	TCP
2025-03-04T21:03:34.119233+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50250	92.255.85.23	9000	TCP
2025-03-04T21:03:34.958479+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50251	92.255.85.23	9000	TCP
2025-03-04T21:03:35.819190+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50252	92.255.85.23	9000	TCP
2025-03-04T21:03:36.659511+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50253	92.255.85.23	9000	TCP
2025-03-04T21:03:37.477178+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50254	92.255.85.23	9000	TCP
2025-03-04T21:03:38.289317+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50255	92.255.85.23	9000	TCP
2025-03-04T21:03:39.269409+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50256	92.255.85.23	9000	TCP
2025-03-04T21:03:40.126001+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50257	92.255.85.23	9000	TCP
2025-03-04T21:03:40.964072+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50258	92.255.85.23	9000	TCP
2025-03-04T21:03:41.800937+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50259	92.255.85.23	9000	TCP
2025-03-04T21:03:42.634917+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50260	92.255.85.23	9000	TCP
2025-03-04T21:03:43.454821+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50261	92.255.85.23	9000	TCP
2025-03-04T21:03:44.335691+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50262	92.255.85.23	9000	TCP
2025-03-04T21:03:45.156152+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50263	92.255.85.23	9000	TCP
2025-03-04T21:03:45.995560+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50264	92.255.85.23	9000	TCP
2025-03-04T21:03:46.828438+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50265	92.255.85.23	9000	TCP
2025-03-04T21:03:47.654581+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50266	92.255.85.23	9000	TCP
2025-03-04T21:03:48.510336+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50267	92.255.85.23	9000	TCP
2025-03-04T21:03:49.345708+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50268	92.255.85.23	9000	TCP
2025-03-04T21:03:50.170870+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50269	92.255.85.23	9000	TCP
2025-03-04T21:03:50.994376+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50270	92.255.85.23	9000	TCP
2025-03-04T21:03:51.837309+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50272	92.255.85.23	9000	TCP
2025-03-04T21:03:52.680509+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50273	92.255.85.23	9000	TCP
2025-03-04T21:03:54.524349+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50274	92.255.85.23	9000	TCP
2025-03-04T21:03:55.338706+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50275	92.255.85.23	9000	TCP
2025-03-04T21:03:56.165636+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50276	92.255.85.23	9000	TCP
2025-03-04T21:03:56.987462+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50277	92.255.85.23	9000	TCP
2025-03-04T21:03:57.819595+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50278	92.255.85.23	9000	TCP
2025-03-04T21:03:58.685486+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50281	92.255.85.23	9000	TCP
2025-03-04T21:03:59.488131+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50282	92.255.85.23	9000	TCP
2025-03-04T21:04:00.321970+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50283	92.255.85.23	9000	TCP
2025-03-04T21:04:01.158547+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50284	92.255.85.23	9000	TCP
2025-03-04T21:04:01.974720+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50285	92.255.85.23	9000	TCP
2025-03-04T21:04:02.825038+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50286	92.255.85.23	9000	TCP
2025-03-04T21:04:03.720011+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50287	92.255.85.23	9000	TCP
2025-03-04T21:04:04.550082+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50288	92.255.85.23	9000	TCP
2025-03-04T21:04:05.530364+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50289	92.255.85.23	9000	TCP
2025-03-04T21:04:06.387721+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50290	92.255.85.23	9000	TCP
2025-03-04T21:04:07.214525+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50291	92.255.85.23	9000	TCP
2025-03-04T21:04:08.049148+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50292	92.255.85.23	9000	TCP
2025-03-04T21:04:08.873595+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50293	92.255.85.23	9000	TCP
2025-03-04T21:04:09.760338+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50294	92.255.85.23	9000	TCP
2025-03-04T21:04:10.584408+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50295	92.255.85.23	9000	TCP
2025-03-04T21:04:11.454330+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50296	92.255.85.23	9000	TCP
2025-03-04T21:04:12.351066+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50297	92.255.85.23	9000	TCP
2025-03-04T21:04:13.304164+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50298	92.255.85.23	9000	TCP
2025-03-04T21:04:14.137102+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50300	92.255.85.23	9000	TCP
2025-03-04T21:04:14.941254+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50301	92.255.85.23	9000	TCP
2025-03-04T21:04:15.835900+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50302	92.255.85.23	9000	TCP
2025-03-04T21:04:16.658422+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50304	92.255.85.23	9000	TCP
2025-03-04T21:04:17.497036+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50305	92.255.85.23	9000	TCP
2025-03-04T21:04:18.400075+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50306	92.255.85.23	9000	TCP
2025-03-04T21:04:19.435474+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50307	92.255.85.23	9000	TCP
2025-03-04T21:04:20.265010+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50308	92.255.85.23	9000	TCP
2025-03-04T21:04:21.112212+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50309	92.255.85.23	9000	TCP
2025-03-04T21:04:21.946242+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50310	92.255.85.23	9000	TCP
2025-03-04T21:04:22.755995+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50311	92.255.85.23	9000	TCP
2025-03-04T21:04:23.576760+0100	2052248	1	A Network Trojan was detected	192.168.2.4	50313	92.255.85.23	9000	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T21:00:54.818562+0100	2803305	3	Unknown Traffic	192.168.2.4	49740	92.255.85.23	9000	TCP
2025-03-04T21:00:55.685988+0100	2803305	3	Unknown Traffic	192.168.2.4	49741	92.255.85.23	9000	TCP
2025-03-04T21:00:58.217347+0100	2803305	3	Unknown Traffic	192.168.2.4	49744	92.255.85.23	9000	TCP
2025-03-04T21:01:02.481607+0100	2803305	3	Unknown Traffic	192.168.2.4	49749	92.255.85.23	9000	TCP
2025-03-04T21:01:04.147483+0100	2803305	3	Unknown Traffic	192.168.2.4	49751	92.255.85.23	9000	TCP
2025-03-04T21:01:05.061301+0100	2803305	3	Unknown Traffic	192.168.2.4	49752	92.255.85.23	9000	TCP
2025-03-04T21:01:08.448578+0100	2803305	3	Unknown Traffic	192.168.2.4	49757	92.255.85.23	9000	TCP
2025-03-04T21:01:10.340958+0100	2803305	3	Unknown Traffic	192.168.2.4	49759	92.255.85.23	9000	TCP
2025-03-04T21:01:11.203721+0100	2803305	3	Unknown Traffic	192.168.2.4	49762	92.255.85.23	9000	TCP
2025-03-04T21:01:14.791326+0100	2803305	3	Unknown Traffic	192.168.2.4	49767	92.255.85.23	9000	TCP
2025-03-04T21:01:15.635987+0100	2803305	3	Unknown Traffic	192.168.2.4	49769	92.255.85.23	9000	TCP
2025-03-04T21:01:16.486959+0100	2803305	3	Unknown Traffic	192.168.2.4	49775	92.255.85.23	9000	TCP
2025-03-04T21:01:18.151827+0100	2803305	3	Unknown Traffic	192.168.2.4	49787	92.255.85.23	9000	TCP
2025-03-04T21:01:21.483263+0100	2803305	3	Unknown Traffic	192.168.2.4	49818	92.255.85.23	9000	TCP
2025-03-04T21:01:22.392623+0100	2803305	3	Unknown Traffic	192.168.2.4	49825	92.255.85.23	9000	TCP
2025-03-04T21:01:23.359746+0100	2803305	3	Unknown Traffic	192.168.2.4	49831	92.255.85.23	9000	TCP
2025-03-04T21:01:29.269973+0100	2803305	3	Unknown Traffic	192.168.2.4	49887	92.255.85.23	9000	TCP
2025-03-04T21:01:30.908381+0100	2803305	3	Unknown Traffic	192.168.2.4	49900	92.255.85.23	9000	TCP
2025-03-04T21:01:31.755094+0100	2803305	3	Unknown Traffic	192.168.2.4	49907	92.255.85.23	9000	TCP
2025-03-04T21:01:34.228163+0100	2803305	3	Unknown Traffic	192.168.2.4	49930	92.255.85.23	9000	TCP
2025-03-04T21:01:36.769227+0100	2803305	3	Unknown Traffic	192.168.2.4	49945	92.255.85.23	9000	TCP
2025-03-04T21:01:37.591532+0100	2803305	3	Unknown Traffic	192.168.2.4	49950	92.255.85.23	9000	TCP
2025-03-04T21:01:40.166096+0100	2803305	3	Unknown Traffic	192.168.2.4	49968	92.255.85.23	9000	TCP
2025-03-04T21:01:41.055824+0100	2803305	3	Unknown Traffic	192.168.2.4	49974	92.255.85.23	9000	TCP
2025-03-04T21:01:43.525270+0100	2803305	3	Unknown Traffic	192.168.2.4	49992	92.255.85.23	9000	TCP
2025-03-04T21:01:45.195987+0100	2803305	3	Unknown Traffic	192.168.2.4	50004	92.255.85.23	9000	TCP
2025-03-04T21:01:46.006298+0100	2803305	3	Unknown Traffic	192.168.2.4	50011	92.255.85.23	9000	TCP
2025-03-04T21:01:48.548834+0100	2803305	3	Unknown Traffic	192.168.2.4	50028	92.255.85.23	9000	TCP
2025-03-04T21:01:50.270021+0100	2803305	3	Unknown Traffic	192.168.2.4	50040	92.255.85.23	9000	TCP
2025-03-04T21:01:51.113876+0100	2803305	3	Unknown Traffic	192.168.2.4	50045	92.255.85.23	9000	TCP
2025-03-04T21:01:51.995822+0100	2803305	3	Unknown Traffic	192.168.2.4	50051	92.255.85.23	9000	TCP
2025-03-04T21:01:57.084907+0100	2803305	3	Unknown Traffic	192.168.2.4	50086	92.255.85.23	9000	TCP
2025-03-04T21:01:57.905893+0100	2803305	3	Unknown Traffic	192.168.2.4	50096	92.255.85.23	9000	TCP
2025-03-04T21:01:58.812127+0100	2803305	3	Unknown Traffic	192.168.2.4	50103	92.255.85.23	9000	TCP
2025-03-04T21:02:03.809105+0100	2803305	3	Unknown Traffic	192.168.2.4	50120	92.255.85.23	9000	TCP
2025-03-04T21:02:04.695495+0100	2803305	3	Unknown Traffic	192.168.2.4	50122	92.255.85.23	9000	TCP
2025-03-04T21:02:05.579963+0100	2803305	3	Unknown Traffic	192.168.2.4	50123	92.255.85.23	9000	TCP
2025-03-04T21:02:07.281534+0100	2803305	3	Unknown Traffic	192.168.2.4	50126	92.255.85.23	9000	TCP
2025-03-04T21:02:08.135514+0100	2803305	3	Unknown Traffic	192.168.2.4	50127	92.255.85.23	9000	TCP
2025-03-04T21:02:09.772125+0100	2803305	3	Unknown Traffic	192.168.2.4	50133	92.255.85.23	9000	TCP
2025-03-04T21:02:11.479646+0100	2803305	3	Unknown Traffic	192.168.2.4	50138	92.255.85.23	9000	TCP
2025-03-04T21:02:14.129687+0100	2803305	3	Unknown Traffic	192.168.2.4	50145	92.255.85.23	9000	TCP
2025-03-04T21:02:16.614641+0100	2803305	3	Unknown Traffic	192.168.2.4	50148	92.255.85.23	9000	TCP
2025-03-04T21:02:19.946065+0100	2803305	3	Unknown Traffic	192.168.2.4	50153	92.255.85.23	9000	TCP
2025-03-04T21:02:25.207802+0100	2803305	3	Unknown Traffic	192.168.2.4	50160	92.255.85.23	9000	TCP
2025-03-04T21:02:29.500471+0100	2803305	3	Unknown Traffic	192.168.2.4	50165	92.255.85.23	9000	TCP
2025-03-04T21:02:30.345077+0100	2803305	3	Unknown Traffic	192.168.2.4	50166	92.255.85.23	9000	TCP
2025-03-04T21:02:32.062033+0100	2803305	3	Unknown Traffic	192.168.2.4	50168	92.255.85.23	9000	TCP
2025-03-04T21:02:32.900724+0100	2803305	3	Unknown Traffic	192.168.2.4	50169	92.255.85.23	9000	TCP
2025-03-04T21:02:34.570364+0100	2803305	3	Unknown Traffic	192.168.2.4	50171	92.255.85.23	9000	TCP
2025-03-04T21:02:36.358069+0100	2803305	3	Unknown Traffic	192.168.2.4	50173	92.255.85.23	9000	TCP
2025-03-04T21:02:37.207579+0100	2803305	3	Unknown Traffic	192.168.2.4	50174	92.255.85.23	9000	TCP
2025-03-04T21:02:38.908948+0100	2803305	3	Unknown Traffic	192.168.2.4	50176	92.255.85.23	9000	TCP
2025-03-04T21:02:43.179215+0100	2803305	3	Unknown Traffic	192.168.2.4	50182	92.255.85.23	9000	TCP
2025-03-04T21:02:44.046659+0100	2803305	3	Unknown Traffic	192.168.2.4	50183	92.255.85.23	9000	TCP
2025-03-04T21:02:47.774908+0100	2803305	3	Unknown Traffic	192.168.2.4	50187	92.255.85.23	9000	TCP
2025-03-04T21:02:49.550099+0100	2803305	3	Unknown Traffic	192.168.2.4	50189	92.255.85.23	9000	TCP
2025-03-04T21:02:50.675290+0100	2803305	3	Unknown Traffic	192.168.2.4	50190	92.255.85.23	9000	TCP
2025-03-04T21:02:54.266556+0100	2803305	3	Unknown Traffic	192.168.2.4	50197	92.255.85.23	9000	TCP
2025-03-04T21:02:55.095852+0100	2803305	3	Unknown Traffic	192.168.2.4	50198	92.255.85.23	9000	TCP
2025-03-04T21:02:55.960888+0100	2803305	3	Unknown Traffic	192.168.2.4	50200	92.255.85.23	9000	TCP
2025-03-04T21:02:56.827925+0100	2803305	3	Unknown Traffic	192.168.2.4	50201	92.255.85.23	9000	TCP
2025-03-04T21:03:00.178904+0100	2803305	3	Unknown Traffic	192.168.2.4	50205	92.255.85.23	9000	TCP
2025-03-04T21:03:02.709574+0100	2803305	3	Unknown Traffic	192.168.2.4	50208	92.255.85.23	9000	TCP
2025-03-04T21:03:03.524943+0100	2803305	3	Unknown Traffic	192.168.2.4	50210	92.255.85.23	9000	TCP
2025-03-04T21:03:04.390359+0100	2803305	3	Unknown Traffic	192.168.2.4	50211	92.255.85.23	9000	TCP
2025-03-04T21:03:08.994494+0100	2803305	3	Unknown Traffic	192.168.2.4	50217	92.255.85.23	9000	TCP
2025-03-04T21:03:11.515497+0100	2803305	3	Unknown Traffic	192.168.2.4	50222	92.255.85.23	9000	TCP
2025-03-04T21:03:17.648588+0100	2803305	3	Unknown Traffic	192.168.2.4	50229	92.255.85.23	9000	TCP
2025-03-04T21:03:21.049770+0100	2803305	3	Unknown Traffic	192.168.2.4	50233	92.255.85.23	9000	TCP
2025-03-04T21:03:22.824144+0100	2803305	3	Unknown Traffic	192.168.2.4	50235	92.255.85.23	9000	TCP
2025-03-04T21:03:24.556032+0100	2803305	3	Unknown Traffic	192.168.2.4	50237	92.255.85.23	9000	TCP
2025-03-04T21:03:26.316474+0100	2803305	3	Unknown Traffic	192.168.2.4	50240	92.255.85.23	9000	TCP
2025-03-04T21:03:27.155640+0100	2803305	3	Unknown Traffic	192.168.2.4	50241	92.255.85.23	9000	TCP
2025-03-04T21:03:29.916329+0100	2803305	3	Unknown Traffic	192.168.2.4	50244	92.255.85.23	9000	TCP
2025-03-04T21:03:33.309679+0100	2803305	3	Unknown Traffic	192.168.2.4	50249	92.255.85.23	9000	TCP
2025-03-04T21:03:35.819190+0100	2803305	3	Unknown Traffic	192.168.2.4	50252	92.255.85.23	9000	TCP
2025-03-04T21:03:36.659511+0100	2803305	3	Unknown Traffic	192.168.2.4	50253	92.255.85.23	9000	TCP
2025-03-04T21:03:37.477178+0100	2803305	3	Unknown Traffic	192.168.2.4	50254	92.255.85.23	9000	TCP
2025-03-04T21:03:39.269409+0100	2803305	3	Unknown Traffic	192.168.2.4	50256	92.255.85.23	9000	TCP
2025-03-04T21:03:45.156152+0100	2803305	3	Unknown Traffic	192.168.2.4	50263	92.255.85.23	9000	TCP
2025-03-04T21:03:46.828438+0100	2803305	3	Unknown Traffic	192.168.2.4	50265	92.255.85.23	9000	TCP
2025-03-04T21:03:47.654581+0100	2803305	3	Unknown Traffic	192.168.2.4	50266	92.255.85.23	9000	TCP
2025-03-04T21:03:49.345708+0100	2803305	3	Unknown Traffic	192.168.2.4	50268	92.255.85.23	9000	TCP
2025-03-04T21:03:50.994376+0100	2803305	3	Unknown Traffic	192.168.2.4	50270	92.255.85.23	9000	TCP
2025-03-04T21:03:51.837309+0100	2803305	3	Unknown Traffic	192.168.2.4	50272	92.255.85.23	9000	TCP
2025-03-04T21:03:52.680509+0100	2803305	3	Unknown Traffic	192.168.2.4	50273	92.255.85.23	9000	TCP
2025-03-04T21:03:54.524349+0100	2803305	3	Unknown Traffic	192.168.2.4	50274	92.255.85.23	9000	TCP
2025-03-04T21:03:56.165636+0100	2803305	3	Unknown Traffic	192.168.2.4	50276	92.255.85.23	9000	TCP
2025-03-04T21:03:57.819595+0100	2803305	3	Unknown Traffic	192.168.2.4	50278	92.255.85.23	9000	TCP
2025-03-04T21:04:03.720011+0100	2803305	3	Unknown Traffic	192.168.2.4	50287	92.255.85.23	9000	TCP
2025-03-04T21:04:05.530364+0100	2803305	3	Unknown Traffic	192.168.2.4	50289	92.255.85.23	9000	TCP
2025-03-04T21:04:08.049148+0100	2803305	3	Unknown Traffic	192.168.2.4	50292	92.255.85.23	9000	TCP
2025-03-04T21:04:10.584408+0100	2803305	3	Unknown Traffic	192.168.2.4	50295	92.255.85.23	9000	TCP
2025-03-04T21:04:14.941254+0100	2803305	3	Unknown Traffic	192.168.2.4	50301	92.255.85.23	9000	TCP
2025-03-04T21:04:17.497036+0100	2803305	3	Unknown Traffic	192.168.2.4	50305	92.255.85.23	9000	TCP
2025-03-04T21:04:23.576760+0100	2803305	3	Unknown Traffic	192.168.2.4	50313	92.255.85.23	9000	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\igbbbmfix	Avira: detection malicious, Label: TR/AVI.Agent.leqri
Source: C:\Users\user\AppData\Local\Temp\hxyamwavxtmtm	Avira: detection malicious, Label: TR/AVI.Agent.leqri

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\hxyamwavxtmtm	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\igbbbmfix	ReversingLabs: Detection: 73%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source:	Binary string: C:\CodeBases\isdev\Redist\Language Independent\i386\ISSetup.pdb source: GELEPLLV.msi, MSI2180.tmp.0.dr
Source:	Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb,, source: SplashWin.exe, 0000000D.00000000.1696724319.0000000000EE3000.00000002.00000001.01000000.00000004.sdmp, SplashWin.exe, 0000000D.00000002.1706434101.0000000000EE3000.00000002.00000001.01000000.00000004.sdmp, SplashWin.exe, 0000000E.00000000.1704944800.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 0000000E.00000002.1764497476.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000018.00000002.2137412037.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000018.00000000.2080562015.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, GELEPLLV.msi, SplashWin.exe.2.dr, SplashWin.exe.13.dr
Source:	Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdbww3 source: SplashWin.exe, 0000000D.00000002.1718713571.000000006C715000.00000002.00000001.01000000.00000006.sdmp, SplashWin.exe, 0000000E.00000002.1773387624.000000006C205000.00000002.00000001.01000000.0000000A.sdmp, SplashWin.exe, 00000018.00000002.2141589828.000000006C715000.00000002.00000001.01000000.0000000A.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr
Source:	Binary string: wntdll.pdbUGP source: SplashWin.exe, 0000000D.00000002.1713271120.0000000009B30000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.1712346760.00000000097D4000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771941100.00000000096C3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1772567122.0000000009DDF000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1772325007.0000000009A20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012234320.0000000005510000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2011657690.0000000005035000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140701923.0000000009AAA000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2141060581.000000000A1B9000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140892302.0000000009E00000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2303822485.00000000045F4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304221470.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SplashWin.exe, 0000000D.00000002.1713271120.0000000009B30000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.1712346760.00000000097D4000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771941100.00000000096C3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1772567122.0000000009DDF000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1772325007.0000000009A20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012234320.0000000005510000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2011657690.0000000005035000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140701923.0000000009AAA000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2141060581.000000000A1B9000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140892302.0000000009E00000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2303822485.00000000045F4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304221470.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdb source: SplashWin.exe, 0000000D.00000002.1718713571.000000006C715000.00000002.00000001.01000000.00000006.sdmp, SplashWin.exe, 0000000E.00000002.1773387624.000000006C205000.00000002.00000001.01000000.0000000A.sdmp, SplashWin.exe, 00000018.00000002.2141589828.000000006C715000.00000002.00000001.01000000.0000000A.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr
Source:	Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb source: SplashWin.exe, 0000000D.00000000.1696724319.0000000000EE3000.00000002.00000001.01000000.00000004.sdmp, SplashWin.exe, 0000000D.00000002.1706434101.0000000000EE3000.00000002.00000001.01000000.00000004.sdmp, SplashWin.exe, 0000000E.00000000.1704944800.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 0000000E.00000002.1764497476.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000018.00000002.2137412037.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000018.00000000.2080562015.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, GELEPLLV.msi, SplashWin.exe.2.dr, SplashWin.exe.13.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_isres_0x0409.pdb source: _isres_0x0409.dll.2.dr
Source:	Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: SplashWin.exe, 0000000D.00000002.1719036570.000000006C781000.00000020.00000001.01000000.00000005.sdmp, SplashWin.exe, 0000000E.00000002.1773189624.000000006C171000.00000020.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000018.00000002.2141700392.000000006CF31000.00000020.00000001.01000000.0000000B.sdmp, GELEPLLV.msi, vcruntime140.dll.2.dr, vcruntime140.dll.13.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000003.00000002.1687243345.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000003.00000000.1686159750.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000004.00000002.1687788084.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000004.00000000.1686834647.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000002.1689194936.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000000.1687295898.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000000.1687894860.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000002.1689823290.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000002.1692357935.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000000.1688735219.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000000.1690928109.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000002.1710835665.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000002.1695463546.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000000.1692404459.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000002.1696483870.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000000.1693634957.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000002.1697145400.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000000.1694765547.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000000.1695594668.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000002.1700653639.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe.2.dr
Source:	Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: SplashWin.exe, SplashWin.exe, 0000000E.00000002.1773036551.000000006C0F1000.00000020.00000001.01000000.0000000C.sdmp, SplashWin.exe, 00000018.00000002.2141420693.000000006C621000.00000020.00000001.01000000.0000000C.sdmp, GELEPLLV.msi, msvcp140.dll.13.dr, msvcp140.dll.2.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C6320D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,		13_2_6C6320D0
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_6C1020D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,		14_2_6C1020D0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49741 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49740 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49751 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49738 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49747 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49742 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49753 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49739 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49743 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49755 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49748 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49744 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49767 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49757 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49762 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49759 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49750 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49758 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49749 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49769 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49764 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49756 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49775 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49781 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49793 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49806 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49745 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49746 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49818 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49752 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49787 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49766 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49800 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49825 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49843 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49831 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49856 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49849 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49870 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49894 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49887 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49900 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49879 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49907 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49936 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49864 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49917 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49924 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49930 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49968 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49950 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49961 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49974 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49956 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49979 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49998 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49945 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50004 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50024 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50011 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49986 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50017 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50028 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49941 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50040 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50057 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50034 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50051 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50074 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49992 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50045 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50063 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50080 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50086 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50068 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50096 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50111 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50116 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50119 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50117 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50103 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50122 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50125 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50123 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50118 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50132 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50136 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50126 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50127 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50120 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50144 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50133 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50146 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50138 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50141 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50147 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50145 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50148 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50149 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50152 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50153 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50154 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50156 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50157 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50158 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50159 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50160 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50150 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50161 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50162 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50163 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50164 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50165 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50166 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50168 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50169 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50170 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50171 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50172 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50173 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50174 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50175 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50176 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50177 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50179 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50180 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50181 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50182 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50183 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50185 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50167 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50186 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50184 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50187 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50188 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50189 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50190 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50192 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50193 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50194 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50198 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50200 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50201 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50202 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50203 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50204 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50205 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50206 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50207 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50208 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50211 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50212 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50213 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50214 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50215 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50217 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50219 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50221 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50222 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50223 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50224 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50225 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50226 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50227 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50228 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50229 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50197 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50230 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50233 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50235 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50237 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50239 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50240 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50241 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50242 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50243 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50244 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50245 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50247 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50248 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50250 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50251 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50252 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50253 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50254 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50255 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50256 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50257 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50231 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50236 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50258 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50259 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50260 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50261 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50262 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50210 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50232 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50234 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50249 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50263 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50264 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50265 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50267 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50268 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50269 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50270 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50272 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50274 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50275 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50276 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50277 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50278 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50281 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50283 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50285 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50286 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50287 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50288 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50289 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50290 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50291 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50292 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50293 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50294 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50296 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50297 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50298 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50300 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50301 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50304 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50305 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50306 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50307 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50308 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50309 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50282 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50310 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50311 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50313 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50302 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50266 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50295 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50273 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:50284 -> 92.255.85.23:9000

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 92.255.85.23 ports 9000,1,4,5,7,8,15847

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 50144 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50144
Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50145
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50146
Source: unknown	Network traffic detected: HTTP traffic on port 50147 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50147
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50148
Source: unknown	Network traffic detected: HTTP traffic on port 50149 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50149
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50150
Source: unknown	Network traffic detected: HTTP traffic on port 50152 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50152
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50153
Source: unknown	Network traffic detected: HTTP traffic on port 50154 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50154
Source: unknown	Network traffic detected: HTTP traffic on port 50156 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50156
Source: unknown	Network traffic detected: HTTP traffic on port 50157 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50157
Source: unknown	Network traffic detected: HTTP traffic on port 50158 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50158
Source: unknown	Network traffic detected: HTTP traffic on port 50159 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50159
Source: unknown	Network traffic detected: HTTP traffic on port 50160 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50160
Source: unknown	Network traffic detected: HTTP traffic on port 50161 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50161
Source: unknown	Network traffic detected: HTTP traffic on port 50162 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50162
Source: unknown	Network traffic detected: HTTP traffic on port 50163 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50163
Source: unknown	Network traffic detected: HTTP traffic on port 50164 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50164
Source: unknown	Network traffic detected: HTTP traffic on port 50165 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50165
Source: unknown	Network traffic detected: HTTP traffic on port 50166 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50166
Source: unknown	Network traffic detected: HTTP traffic on port 50167 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50167
Source: unknown	Network traffic detected: HTTP traffic on port 50168 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50168
Source: unknown	Network traffic detected: HTTP traffic on port 50169 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50169
Source: unknown	Network traffic detected: HTTP traffic on port 50170 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50170
Source: unknown	Network traffic detected: HTTP traffic on port 50171 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50171
Source: unknown	Network traffic detected: HTTP traffic on port 50172 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50172
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50173
Source: unknown	Network traffic detected: HTTP traffic on port 50174 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50174
Source: unknown	Network traffic detected: HTTP traffic on port 50175 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50175
Source: unknown	Network traffic detected: HTTP traffic on port 50176 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50176
Source: unknown	Network traffic detected: HTTP traffic on port 50177 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50177
Source: unknown	Network traffic detected: HTTP traffic on port 50179 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50179
Source: unknown	Network traffic detected: HTTP traffic on port 50180 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50180
Source: unknown	Network traffic detected: HTTP traffic on port 50181 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50181
Source: unknown	Network traffic detected: HTTP traffic on port 50182 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50182
Source: unknown	Network traffic detected: HTTP traffic on port 50183 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50183
Source: unknown	Network traffic detected: HTTP traffic on port 50184 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50184
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50185
Source: unknown	Network traffic detected: HTTP traffic on port 50186 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50186
Source: unknown	Network traffic detected: HTTP traffic on port 50187 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50187
Source: unknown	Network traffic detected: HTTP traffic on port 50188 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50188
Source: unknown	Network traffic detected: HTTP traffic on port 50189 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50189
Source: unknown	Network traffic detected: HTTP traffic on port 50190 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50190
Source: unknown	Network traffic detected: HTTP traffic on port 50192 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50192
Source: unknown	Network traffic detected: HTTP traffic on port 50193 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50193
Source: unknown	Network traffic detected: HTTP traffic on port 50194 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50194
Source: unknown	Network traffic detected: HTTP traffic on port 50197 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50197
Source: unknown	Network traffic detected: HTTP traffic on port 50198 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50198
Source: unknown	Network traffic detected: HTTP traffic on port 50200 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50200
Source: unknown	Network traffic detected: HTTP traffic on port 50201 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50201
Source: unknown	Network traffic detected: HTTP traffic on port 50202 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50202
Source: unknown	Network traffic detected: HTTP traffic on port 50203 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50203
Source: unknown	Network traffic detected: HTTP traffic on port 50204 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50204
Source: unknown	Network traffic detected: HTTP traffic on port 50205 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50205
Source: unknown	Network traffic detected: HTTP traffic on port 50206 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50206
Source: unknown	Network traffic detected: HTTP traffic on port 50207 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50207
Source: unknown	Network traffic detected: HTTP traffic on port 50208 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50208
Source: unknown	Network traffic detected: HTTP traffic on port 50210 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50210
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50211
Source: unknown	Network traffic detected: HTTP traffic on port 50212 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50212
Source: unknown	Network traffic detected: HTTP traffic on port 50213 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50213
Source: unknown	Network traffic detected: HTTP traffic on port 50214 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50214
Source: unknown	Network traffic detected: HTTP traffic on port 50215 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50215
Source: unknown	Network traffic detected: HTTP traffic on port 50217 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50217
Source: unknown	Network traffic detected: HTTP traffic on port 50219 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50219
Source: unknown	Network traffic detected: HTTP traffic on port 50221 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50221
Source: unknown	Network traffic detected: HTTP traffic on port 50222 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50222
Source: unknown	Network traffic detected: HTTP traffic on port 50223 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50223
Source: unknown	Network traffic detected: HTTP traffic on port 50224 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50224
Source: unknown	Network traffic detected: HTTP traffic on port 50225 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50225
Source: unknown	Network traffic detected: HTTP traffic on port 50226 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50226
Source: unknown	Network traffic detected: HTTP traffic on port 50227 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50227
Source: unknown	Network traffic detected: HTTP traffic on port 50228 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50228
Source: unknown	Network traffic detected: HTTP traffic on port 50229 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50229
Source: unknown	Network traffic detected: HTTP traffic on port 50230 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50230
Source: unknown	Network traffic detected: HTTP traffic on port 50231 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50231
Source: unknown	Network traffic detected: HTTP traffic on port 50232 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50232
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 50234 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50234
Source: unknown	Network traffic detected: HTTP traffic on port 50235 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50235
Source: unknown	Network traffic detected: HTTP traffic on port 50236 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50236
Source: unknown	Network traffic detected: HTTP traffic on port 50237 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50237
Source: unknown	Network traffic detected: HTTP traffic on port 50239 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50239
Source: unknown	Network traffic detected: HTTP traffic on port 50240 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50240
Source: unknown	Network traffic detected: HTTP traffic on port 50241 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50241
Source: unknown	Network traffic detected: HTTP traffic on port 50242 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50242
Source: unknown	Network traffic detected: HTTP traffic on port 50243 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50243
Source: unknown	Network traffic detected: HTTP traffic on port 50244 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50244
Source: unknown	Network traffic detected: HTTP traffic on port 50245 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50245
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50247
Source: unknown	Network traffic detected: HTTP traffic on port 50248 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50248
Source: unknown	Network traffic detected: HTTP traffic on port 50249 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50249
Source: unknown	Network traffic detected: HTTP traffic on port 50250 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50250
Source: unknown	Network traffic detected: HTTP traffic on port 50251 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50251
Source: unknown	Network traffic detected: HTTP traffic on port 50252 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50252
Source: unknown	Network traffic detected: HTTP traffic on port 50253 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50253
Source: unknown	Network traffic detected: HTTP traffic on port 50254 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50254
Source: unknown	Network traffic detected: HTTP traffic on port 50255 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50255
Source: unknown	Network traffic detected: HTTP traffic on port 50256 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50256
Source: unknown	Network traffic detected: HTTP traffic on port 50257 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50257
Source: unknown	Network traffic detected: HTTP traffic on port 50258 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50258
Source: unknown	Network traffic detected: HTTP traffic on port 50259 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50259
Source: unknown	Network traffic detected: HTTP traffic on port 50260 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50260
Source: unknown	Network traffic detected: HTTP traffic on port 50261 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50261
Source: unknown	Network traffic detected: HTTP traffic on port 50262 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50262
Source: unknown	Network traffic detected: HTTP traffic on port 50263 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50263
Source: unknown	Network traffic detected: HTTP traffic on port 50264 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50264
Source: unknown	Network traffic detected: HTTP traffic on port 50265 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50265
Source: unknown	Network traffic detected: HTTP traffic on port 50266 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50266
Source: unknown	Network traffic detected: HTTP traffic on port 50267 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50267
Source: unknown	Network traffic detected: HTTP traffic on port 50268 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50268
Source: unknown	Network traffic detected: HTTP traffic on port 50269 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50269
Source: unknown	Network traffic detected: HTTP traffic on port 50270 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50270
Source: unknown	Network traffic detected: HTTP traffic on port 50272 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50272
Source: unknown	Network traffic detected: HTTP traffic on port 50273 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50273
Source: unknown	Network traffic detected: HTTP traffic on port 50274 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50274
Source: unknown	Network traffic detected: HTTP traffic on port 50275 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50275
Source: unknown	Network traffic detected: HTTP traffic on port 50276 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50276
Source: unknown	Network traffic detected: HTTP traffic on port 50277 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50277
Source: unknown	Network traffic detected: HTTP traffic on port 50278 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50278
Source: unknown	Network traffic detected: HTTP traffic on port 50281 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50281
Source: unknown	Network traffic detected: HTTP traffic on port 50282 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50282
Source: unknown	Network traffic detected: HTTP traffic on port 50283 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50283
Source: unknown	Network traffic detected: HTTP traffic on port 50284 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50284
Source: unknown	Network traffic detected: HTTP traffic on port 50285 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50285
Source: unknown	Network traffic detected: HTTP traffic on port 50286 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50286
Source: unknown	Network traffic detected: HTTP traffic on port 50287 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50287
Source: unknown	Network traffic detected: HTTP traffic on port 50288 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50288
Source: unknown	Network traffic detected: HTTP traffic on port 50289 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50289
Source: unknown	Network traffic detected: HTTP traffic on port 50290 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50290
Source: unknown	Network traffic detected: HTTP traffic on port 50291 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50291
Source: unknown	Network traffic detected: HTTP traffic on port 50292 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50292
Source: unknown	Network traffic detected: HTTP traffic on port 50293 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50293
Source: unknown	Network traffic detected: HTTP traffic on port 50294 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50294
Source: unknown	Network traffic detected: HTTP traffic on port 50295 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50295
Source: unknown	Network traffic detected: HTTP traffic on port 50296 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50296
Source: unknown	Network traffic detected: HTTP traffic on port 50297 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50297
Source: unknown	Network traffic detected: HTTP traffic on port 50298 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50298
Source: unknown	Network traffic detected: HTTP traffic on port 50300 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50300
Source: unknown	Network traffic detected: HTTP traffic on port 50301 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50301
Source: unknown	Network traffic detected: HTTP traffic on port 50302 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50302
Source: unknown	Network traffic detected: HTTP traffic on port 50304 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50304
Source: unknown	Network traffic detected: HTTP traffic on port 50305 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50305
Source: unknown	Network traffic detected: HTTP traffic on port 50306 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50306
Source: unknown	Network traffic detected: HTTP traffic on port 50307 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50307
Source: unknown	Network traffic detected: HTTP traffic on port 50308 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50308
Source: unknown	Network traffic detected: HTTP traffic on port 50309 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50309
Source: unknown	Network traffic detected: HTTP traffic on port 50310 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50310
Source: unknown	Network traffic detected: HTTP traffic on port 50311 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50311
Source: unknown	Network traffic detected: HTTP traffic on port 50313 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50313

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 92.255.85.23:15847

Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000

Source: Joe Sandbox View

IP Address: 92.255.85.23 92.255.85.23

Source: Joe Sandbox View

ASN Name: SOVTEL-ASRU SOVTEL-ASRU

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49751 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49767 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49757 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49759 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49762 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49749 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49769 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49775 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49818 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49787 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49752 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49825 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49831 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49887 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49900 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49907 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49930 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49968 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49950 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49974 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49945 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50004 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50011 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50028 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50040 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50051 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49992 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50045 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50086 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50096 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50103 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50122 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50123 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50126 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50127 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50120 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50133 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50138 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50145 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50148 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50153 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50160 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50165 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50166 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50168 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50169 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50171 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50173 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50174 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50176 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50182 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50183 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50187 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50189 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50190 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50198 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50200 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50201 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50205 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50208 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50211 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50217 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50222 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50229 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50197 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50233 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50235 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50237 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50240 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50241 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50244 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50252 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50253 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50254 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50256 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50210 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50249 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50263 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50265 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50268 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50270 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50272 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50274 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50276 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50278 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50287 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50289 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50292 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50301 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50305 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50313 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50266 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50295 -> 92.255.85.23:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50273 -> 92.255.85.23:9000

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.85.23

Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.23:9000

Source: global traffic

DNS traffic detected: DNS query: tse1.mm.bing.net

Source: MSBuild.exe, 00000017.00000002.4145959596.00000000029AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.23:9000
Source: MSBuild.exe, 00000017.00000002.4145959596.00000000029AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://92.255.85.23:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SplashWin.exe, 0000000D.00000003.1703628552.0000000000900000.00000004.00000020.00020000.00000000.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr, SplashWin.exe.2.dr, SplashWin.exe.13.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SplashWin.exe, 0000000D.00000003.1703628552.0000000000900000.00000004.00000020.00020000.00000000.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr, SplashWin.exe.2.dr, SplashWin.exe.13.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SplashWin.exe, 0000000D.00000003.1703628552.0000000000900000.00000004.00000020.00020000.00000000.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr, SplashWin.exe.2.dr, SplashWin.exe.13.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SplashWin.exe, 0000000D.00000003.1703628552.0000000000900000.00000004.00000020.00020000.00000000.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr, SplashWin.exe.2.dr, SplashWin.exe.13.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SplashWin.exe, 0000000D.00000003.1703628552.0000000000900000.00000004.00000020.00020000.00000000.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr, SplashWin.exe.2.dr, SplashWin.exe.13.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SplashWin.exe, 0000000D.00000003.1703628552.0000000000900000.00000004.00000020.00020000.00000000.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr, SplashWin.exe.2.dr, SplashWin.exe.13.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SplashWin.exe, 0000000D.00000003.1703628552.0000000000900000.00000004.00000020.00020000.00000000.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr, SplashWin.exe.2.dr, SplashWin.exe.13.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SplashWin.exe, 0000000D.00000003.1703628552.0000000000900000.00000004.00000020.00020000.00000000.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr, SplashWin.exe.2.dr, SplashWin.exe.13.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: SplashWin.exe, 0000000D.00000003.1703628552.0000000000900000.00000004.00000020.00020000.00000000.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr, SplashWin.exe.2.dr, SplashWin.exe.13.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://s2.symcb.com0
Source: MSBuild.exe, 00000017.00000002.4145959596.0000000002911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://sv.symcd.com0&
Source: GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://www.flexerasoftware.com0
Source: SplashWin.exe, 0000000D.00000002.1712001428.000000000963A000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.000000000952F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.0000000005394000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.0000000009915000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.0000000004953000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: MSBuild.exe, 00000017.00000002.4145959596.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4149440929.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000017.00000002.4145959596.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4149440929.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 00000017.00000002.4145959596.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4149440929.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 00000017.00000002.4145959596.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4149440929.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: MSBuild.exe, 00000017.00000002.4145959596.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4149440929.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 00000017.00000002.4145959596.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4149440929.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 00000017.00000002.4145959596.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: MSBuild.exe, 00000017.00000002.4145959596.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4149440929.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 0000001C.00000002.2305030984.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/UPxYyFp8
Source: MSBuild.exe, 0000001C.00000002.2305030984.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/UPxYyFp8PO
Source: SplashWin.exe, 0000000D.00000003.1703628552.0000000000900000.00000004.00000020.00020000.00000000.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr, SplashWin.exe.2.dr, SplashWin.exe.13.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: SplashWin.exe, 0000000D.00000002.1712001428.0000000009690000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771131850.0000000009585000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012085319.00000000053DC000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140527043.000000000996B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp, GELEPLLV.msi, ISBEW64.exe.2.dr, MSI2008.tmp.0.dr, ISRT.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: MSBuild.exe, 00000017.00000002.4145959596.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4149440929.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 00000017.00000002.4145959596.0000000002B24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: MSBuild.exe, 00000017.00000002.4145959596.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4149440929.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.4145959596.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 25.2.cmd.exe.4f800c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 15.2.cmd.exe.5df00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 25.2.cmd.exe.4f800c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 28.2.MSBuild.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 15.2.cmd.exe.5df00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\igbbbmfix, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\hxyamwavxtmtm, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

PE file has a writeable .text section

Source: ISRT.dll.2.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Code function: 3_2_00007FF63B471AD0	3_2_00007FF63B471AD0
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Code function: 3_2_00007FF63B47CC64	3_2_00007FF63B47CC64
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Code function: 3_2_00007FF63B47F11C	3_2_00007FF63B47F11C
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Code function: 3_2_00007FF63B47FCE4	3_2_00007FF63B47FCE4
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Code function: 3_2_00007FF63B47D308	3_2_00007FF63B47D308
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Code function: 3_2_00007FF63B4842FC	3_2_00007FF63B4842FC
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Code function: 3_2_00007FF63B474E10	3_2_00007FF63B474E10
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Code function: 3_2_00007FF63B474230	3_2_00007FF63B474230
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C626458	13_2_6C626458
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C62642C	13_2_6C62642C
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C626430	13_2_6C626430
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C626434	13_2_6C626434
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C6214F2	13_2_6C6214F2
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C626494	13_2_6C626494
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C6265EC	13_2_6C6265EC
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C621E07	13_2_6C621E07
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C626618	13_2_6C626618
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C6266E4	13_2_6C6266E4
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C6266D4	13_2_6C6266D4
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C625360	13_2_6C625360
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C625324	13_2_6C625324
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C624B0C	13_2_6C624B0C
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C6253F8	13_2_6C6253F8
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C6253CC	13_2_6C6253CC
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C6253DC	13_2_6C6253DC
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_6C0F14F2	14_2_6C0F14F2
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_6C0F1E07	14_2_6C0F1E07
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_6C0F66D4	14_2_6C0F66D4
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_6C0F66E4	14_2_6C0F66E4

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\MSI2008.tmp B8FA7AA425E4084EA3721780A13D11E08B8D53D1C5414B73F22FAECA1BFD314F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\MSI2180.tmp DB01AA9FD931EDCAFF54D745DAA1D9A377ADAB5E91161DABF53A94C7FCFD0838

Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: String function: 6C12E69B appears 123 times
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: String function: 6C12E6CF appears 38 times
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: String function: 6C65E69B appears 123 times
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: String function: 6C65E6CF appears 38 times

Source: MSI2180.tmp.0.dr

Static PE information: Resource name: PUBLICKEY type: b.out overlay separate pure segmented executable V2.3 186 286 286 386 Large Text Large Data Huge Objects Enabled

Source: GELEPLLV.msi	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs GELEPLLV.msi
Source: GELEPLLV.msi	Binary or memory string: OriginalFilenameSFHelper.dll vs GELEPLLV.msi
Source: GELEPLLV.msi	Binary or memory string: OriginalFilenameSetAllUsers.dll< vs GELEPLLV.msi
Source: GELEPLLV.msi	Binary or memory string: OriginalFilenamemsvcp140.dllT vs GELEPLLV.msi
Source: GELEPLLV.msi	Binary or memory string: OriginalFilenameAnyViewer4 vs GELEPLLV.msi
Source: GELEPLLV.msi	Binary or memory string: OriginalFilenamevcruntime140.dllT vs GELEPLLV.msi
Source: GELEPLLV.msi	Binary or memory string: OriginalFilenameiKernel.dll vs GELEPLLV.msi

Source: 25.2.cmd.exe.4f800c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 15.2.cmd.exe.5df00c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 25.2.cmd.exe.4f800c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 28.2.MSBuild.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 15.2.cmd.exe.5df00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\igbbbmfix, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\hxyamwavxtmtm, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: ISRT.dll.2.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: ISRT.dll.2.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: 15.2.cmd.exe.5df00c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 25.2.cmd.exe.4f800c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winMSI@39/26@1/1

Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe

Code function: 13_2_6C632440 _Statvfs,GetDiskFreeSpaceExW,

13_2_6C632440

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe

Code function: 3_2_00007FF63B473140 CoCreateInstance,

3_2_00007FF63B473140

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe

Code function: 3_2_00007FF63B475870 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

3_2_00007FF63B475870

Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe

File created: C:\Users\user\AppData\Roaming\Controltool_irh

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\4b6f97056bd3430db6ca6dde5ea6eba9

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI2008.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Command line argument: AnyViewer		13_2_00EE19D0
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Command line argument: AnyViewer		14_2_00D119D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\IsConfig.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\GELEPLLV.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 721F7157EC60ED4BDE0DFCD92E791EEC C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E83174FE-C665-465A-A362-97A8557AEF45}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C7269B72-A4F4-4A43-AD82-18F3A8EDEB2E}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E0BC4BB7-F4AD-4186-90AB-E1483A5D8CF4}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F96A5C8A-D5FB-4FF8-A586-B8E8188D2794}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{02392C44-6D1B-487E-A493-44C3EC06AA27}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C246B97D-1770-433A-A54B-78C6BB3E25A3}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9A403955-82B3-4C45-BC39-9961952DDF3C}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{28E1C0CE-7C15-4622-AE11-9EABAAF98FF8}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{36385D1D-E9F1-44EB-B7AF-C3D9BCFE6308}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{129B1CD9-B0F3-479E-B4D1-596CC8169910}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Process created: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe "C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe"
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 721F7157EC60ED4BDE0DFCD92E791EEC C	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E83174FE-C665-465A-A362-97A8557AEF45}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C7269B72-A4F4-4A43-AD82-18F3A8EDEB2E}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E0BC4BB7-F4AD-4186-90AB-E1483A5D8CF4}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F96A5C8A-D5FB-4FF8-A586-B8E8188D2794}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{02392C44-6D1B-487E-A493-44C3EC06AA27}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C246B97D-1770-433A-A54B-78C6BB3E25A3}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9A403955-82B3-4C45-BC39-9961952DDF3C}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{28E1C0CE-7C15-4622-AE11-9EABAAF98FF8}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{36385D1D-E9F1-44EB-B7AF-C3D9BCFE6308}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{129B1CD9-B0F3-479E-B4D1-596CC8169910}	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Process created: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Section loaded: duilib_u.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: duilib_u.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: duilib_u.dll
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: pla.dll
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: jehdmsow.15.dr

LNK file: ..\..\Roaming\Controltool_irh\SplashWin.exe

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\IsConfig.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: GELEPLLV.msi

Static file information: File size 6509020 > 1048576

Source:	Binary string: C:\CodeBases\isdev\Redist\Language Independent\i386\ISSetup.pdb source: GELEPLLV.msi, MSI2180.tmp.0.dr
Source:	Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb,, source: SplashWin.exe, 0000000D.00000000.1696724319.0000000000EE3000.00000002.00000001.01000000.00000004.sdmp, SplashWin.exe, 0000000D.00000002.1706434101.0000000000EE3000.00000002.00000001.01000000.00000004.sdmp, SplashWin.exe, 0000000E.00000000.1704944800.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 0000000E.00000002.1764497476.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000018.00000002.2137412037.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000018.00000000.2080562015.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, GELEPLLV.msi, SplashWin.exe.2.dr, SplashWin.exe.13.dr
Source:	Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdbww3 source: SplashWin.exe, 0000000D.00000002.1718713571.000000006C715000.00000002.00000001.01000000.00000006.sdmp, SplashWin.exe, 0000000E.00000002.1773387624.000000006C205000.00000002.00000001.01000000.0000000A.sdmp, SplashWin.exe, 00000018.00000002.2141589828.000000006C715000.00000002.00000001.01000000.0000000A.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr
Source:	Binary string: wntdll.pdbUGP source: SplashWin.exe, 0000000D.00000002.1713271120.0000000009B30000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.1712346760.00000000097D4000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771941100.00000000096C3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1772567122.0000000009DDF000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1772325007.0000000009A20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012234320.0000000005510000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2011657690.0000000005035000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140701923.0000000009AAA000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2141060581.000000000A1B9000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140892302.0000000009E00000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2303822485.00000000045F4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304221470.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SplashWin.exe, 0000000D.00000002.1713271120.0000000009B30000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000D.00000002.1712346760.00000000097D4000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1771941100.00000000096C3000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1772567122.0000000009DDF000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000E.00000002.1772325007.0000000009A20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2012234320.0000000005510000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2011657690.0000000005035000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140701923.0000000009AAA000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2141060581.000000000A1B9000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000018.00000002.2140892302.0000000009E00000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2303822485.00000000045F4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000019.00000002.2304221470.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdb source: SplashWin.exe, 0000000D.00000002.1718713571.000000006C715000.00000002.00000001.01000000.00000006.sdmp, SplashWin.exe, 0000000E.00000002.1773387624.000000006C205000.00000002.00000001.01000000.0000000A.sdmp, SplashWin.exe, 00000018.00000002.2141589828.000000006C715000.00000002.00000001.01000000.0000000A.sdmp, GELEPLLV.msi, DuiLib_u.dll.2.dr, DuiLib_u.dll.13.dr
Source:	Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb source: SplashWin.exe, 0000000D.00000000.1696724319.0000000000EE3000.00000002.00000001.01000000.00000004.sdmp, SplashWin.exe, 0000000D.00000002.1706434101.0000000000EE3000.00000002.00000001.01000000.00000004.sdmp, SplashWin.exe, 0000000E.00000000.1704944800.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 0000000E.00000002.1764497476.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000018.00000002.2137412037.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000018.00000000.2080562015.0000000000D13000.00000002.00000001.01000000.00000009.sdmp, GELEPLLV.msi, SplashWin.exe.2.dr, SplashWin.exe.13.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_isres_0x0409.pdb source: _isres_0x0409.dll.2.dr
Source:	Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: SplashWin.exe, 0000000D.00000002.1719036570.000000006C781000.00000020.00000001.01000000.00000005.sdmp, SplashWin.exe, 0000000E.00000002.1773189624.000000006C171000.00000020.00000001.01000000.0000000B.sdmp, SplashWin.exe, 00000018.00000002.2141700392.000000006CF31000.00000020.00000001.01000000.0000000B.sdmp, GELEPLLV.msi, vcruntime140.dll.2.dr, vcruntime140.dll.13.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000003.00000002.1687243345.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000003.00000000.1686159750.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000004.00000002.1687788084.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000004.00000000.1686834647.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000002.1689194936.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000000.1687295898.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000000.1687894860.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000002.1689823290.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000002.1692357935.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000000.1688735219.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000000.1690928109.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000002.1710835665.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000002.1695463546.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000000.1692404459.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000002.1696483870.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000000.1693634957.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000002.1697145400.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000000.1694765547.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000000.1695594668.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000002.1700653639.00007FF63B487000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe.2.dr
Source:	Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: SplashWin.exe, SplashWin.exe, 0000000E.00000002.1773036551.000000006C0F1000.00000020.00000001.01000000.0000000C.sdmp, SplashWin.exe, 00000018.00000002.2141420693.000000006C621000.00000020.00000001.01000000.0000000C.sdmp, GELEPLLV.msi, msvcp140.dll.13.dr, msvcp140.dll.2.dr

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe

Code function: 3_2_00007FF63B476D00 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

3_2_00007FF63B476D00

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

Source: DuiLib_u.dll.2.dr	Static PE information: real checksum: 0xda891 should be: 0xe665e
Source: DuiLib_u.dll.13.dr	Static PE information: real checksum: 0xda891 should be: 0xe665e
Source: MSI2180.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x291f39
Source: igbbbmfix.25.dr	Static PE information: real checksum: 0x0 should be: 0xcdcb2
Source: hxyamwavxtmtm.15.dr	Static PE information: real checksum: 0x0 should be: 0xcdcb2
Source: _isres_0x0409.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x1c5ec2

Source: MSI2180.tmp.0.dr	Static PE information: section name: .orpc
Source: msvcp140.dll.2.dr	Static PE information: section name: .didat
Source: msvcp140.dll.13.dr	Static PE information: section name: .didat

Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_00EE2A26 push ecx; ret	13_2_00EE2A39
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C65E675 push ecx; ret	13_2_6C65E688
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C621119 pushad ; retn 0000h	13_2_6C6212B0
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_00D12A26 push ecx; ret	14_2_00D12A39
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_6C12E675 push ecx; ret	14_2_6C12E688
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_6C0F1119 pushad ; retn 0000h	14_2_6C0F12B0

Source: ISRT.dll.2.dr

Static PE information: section name: .text entropy: 7.9838191086194135

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISRT.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	File created: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	File created: C:\Users\user\AppData\Roaming\Controltool_irh\msvcp140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2008.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\DuiLib_u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	File created: C:\Users\user\AppData\Roaming\Controltool_irh\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\igbbbmfix	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2180.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	File created: C:\Users\user\AppData\Roaming\Controltool_irh\DuiLib_u.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\msvcp140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\hxyamwavxtmtm	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\hxyamwavxtmtm			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\igbbbmfix			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\HXYAMWAVXTMTM
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\IGBBBMFIX

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 50144 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50144
Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50145
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50146
Source: unknown	Network traffic detected: HTTP traffic on port 50147 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50147
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50148
Source: unknown	Network traffic detected: HTTP traffic on port 50149 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50149
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50150
Source: unknown	Network traffic detected: HTTP traffic on port 50152 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50152
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50153
Source: unknown	Network traffic detected: HTTP traffic on port 50154 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50154
Source: unknown	Network traffic detected: HTTP traffic on port 50156 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50156
Source: unknown	Network traffic detected: HTTP traffic on port 50157 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50157
Source: unknown	Network traffic detected: HTTP traffic on port 50158 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50158
Source: unknown	Network traffic detected: HTTP traffic on port 50159 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50159
Source: unknown	Network traffic detected: HTTP traffic on port 50160 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50160
Source: unknown	Network traffic detected: HTTP traffic on port 50161 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50161
Source: unknown	Network traffic detected: HTTP traffic on port 50162 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50162
Source: unknown	Network traffic detected: HTTP traffic on port 50163 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50163
Source: unknown	Network traffic detected: HTTP traffic on port 50164 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50164
Source: unknown	Network traffic detected: HTTP traffic on port 50165 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50165
Source: unknown	Network traffic detected: HTTP traffic on port 50166 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50166
Source: unknown	Network traffic detected: HTTP traffic on port 50167 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50167
Source: unknown	Network traffic detected: HTTP traffic on port 50168 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50168
Source: unknown	Network traffic detected: HTTP traffic on port 50169 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50169
Source: unknown	Network traffic detected: HTTP traffic on port 50170 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50170
Source: unknown	Network traffic detected: HTTP traffic on port 50171 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50171
Source: unknown	Network traffic detected: HTTP traffic on port 50172 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50172
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50173
Source: unknown	Network traffic detected: HTTP traffic on port 50174 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50174
Source: unknown	Network traffic detected: HTTP traffic on port 50175 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50175
Source: unknown	Network traffic detected: HTTP traffic on port 50176 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50176
Source: unknown	Network traffic detected: HTTP traffic on port 50177 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50177
Source: unknown	Network traffic detected: HTTP traffic on port 50179 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50179
Source: unknown	Network traffic detected: HTTP traffic on port 50180 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50180
Source: unknown	Network traffic detected: HTTP traffic on port 50181 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50181
Source: unknown	Network traffic detected: HTTP traffic on port 50182 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50182
Source: unknown	Network traffic detected: HTTP traffic on port 50183 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50183
Source: unknown	Network traffic detected: HTTP traffic on port 50184 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50184
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50185
Source: unknown	Network traffic detected: HTTP traffic on port 50186 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50186
Source: unknown	Network traffic detected: HTTP traffic on port 50187 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50187
Source: unknown	Network traffic detected: HTTP traffic on port 50188 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50188
Source: unknown	Network traffic detected: HTTP traffic on port 50189 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50189
Source: unknown	Network traffic detected: HTTP traffic on port 50190 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50190
Source: unknown	Network traffic detected: HTTP traffic on port 50192 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50192
Source: unknown	Network traffic detected: HTTP traffic on port 50193 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50193
Source: unknown	Network traffic detected: HTTP traffic on port 50194 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50194
Source: unknown	Network traffic detected: HTTP traffic on port 50197 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50197
Source: unknown	Network traffic detected: HTTP traffic on port 50198 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50198
Source: unknown	Network traffic detected: HTTP traffic on port 50200 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50200
Source: unknown	Network traffic detected: HTTP traffic on port 50201 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50201
Source: unknown	Network traffic detected: HTTP traffic on port 50202 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50202
Source: unknown	Network traffic detected: HTTP traffic on port 50203 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50203
Source: unknown	Network traffic detected: HTTP traffic on port 50204 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50204
Source: unknown	Network traffic detected: HTTP traffic on port 50205 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50205
Source: unknown	Network traffic detected: HTTP traffic on port 50206 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50206
Source: unknown	Network traffic detected: HTTP traffic on port 50207 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50207
Source: unknown	Network traffic detected: HTTP traffic on port 50208 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50208
Source: unknown	Network traffic detected: HTTP traffic on port 50210 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50210
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50211
Source: unknown	Network traffic detected: HTTP traffic on port 50212 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50212
Source: unknown	Network traffic detected: HTTP traffic on port 50213 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50213
Source: unknown	Network traffic detected: HTTP traffic on port 50214 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50214
Source: unknown	Network traffic detected: HTTP traffic on port 50215 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50215
Source: unknown	Network traffic detected: HTTP traffic on port 50217 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50217
Source: unknown	Network traffic detected: HTTP traffic on port 50219 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50219
Source: unknown	Network traffic detected: HTTP traffic on port 50221 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50221
Source: unknown	Network traffic detected: HTTP traffic on port 50222 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50222
Source: unknown	Network traffic detected: HTTP traffic on port 50223 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50223
Source: unknown	Network traffic detected: HTTP traffic on port 50224 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50224
Source: unknown	Network traffic detected: HTTP traffic on port 50225 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50225
Source: unknown	Network traffic detected: HTTP traffic on port 50226 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50226
Source: unknown	Network traffic detected: HTTP traffic on port 50227 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50227
Source: unknown	Network traffic detected: HTTP traffic on port 50228 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50228
Source: unknown	Network traffic detected: HTTP traffic on port 50229 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50229
Source: unknown	Network traffic detected: HTTP traffic on port 50230 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50230
Source: unknown	Network traffic detected: HTTP traffic on port 50231 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50231
Source: unknown	Network traffic detected: HTTP traffic on port 50232 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50232
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 50234 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50234
Source: unknown	Network traffic detected: HTTP traffic on port 50235 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50235
Source: unknown	Network traffic detected: HTTP traffic on port 50236 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50236
Source: unknown	Network traffic detected: HTTP traffic on port 50237 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50237
Source: unknown	Network traffic detected: HTTP traffic on port 50239 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50239
Source: unknown	Network traffic detected: HTTP traffic on port 50240 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50240
Source: unknown	Network traffic detected: HTTP traffic on port 50241 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50241
Source: unknown	Network traffic detected: HTTP traffic on port 50242 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50242
Source: unknown	Network traffic detected: HTTP traffic on port 50243 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50243
Source: unknown	Network traffic detected: HTTP traffic on port 50244 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50244
Source: unknown	Network traffic detected: HTTP traffic on port 50245 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50245
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50247
Source: unknown	Network traffic detected: HTTP traffic on port 50248 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50248
Source: unknown	Network traffic detected: HTTP traffic on port 50249 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50249
Source: unknown	Network traffic detected: HTTP traffic on port 50250 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50250
Source: unknown	Network traffic detected: HTTP traffic on port 50251 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50251
Source: unknown	Network traffic detected: HTTP traffic on port 50252 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50252
Source: unknown	Network traffic detected: HTTP traffic on port 50253 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50253
Source: unknown	Network traffic detected: HTTP traffic on port 50254 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50254
Source: unknown	Network traffic detected: HTTP traffic on port 50255 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50255
Source: unknown	Network traffic detected: HTTP traffic on port 50256 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50256
Source: unknown	Network traffic detected: HTTP traffic on port 50257 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50257
Source: unknown	Network traffic detected: HTTP traffic on port 50258 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50258
Source: unknown	Network traffic detected: HTTP traffic on port 50259 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50259
Source: unknown	Network traffic detected: HTTP traffic on port 50260 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50260
Source: unknown	Network traffic detected: HTTP traffic on port 50261 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50261
Source: unknown	Network traffic detected: HTTP traffic on port 50262 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50262
Source: unknown	Network traffic detected: HTTP traffic on port 50263 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50263
Source: unknown	Network traffic detected: HTTP traffic on port 50264 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50264
Source: unknown	Network traffic detected: HTTP traffic on port 50265 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50265
Source: unknown	Network traffic detected: HTTP traffic on port 50266 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50266
Source: unknown	Network traffic detected: HTTP traffic on port 50267 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50267
Source: unknown	Network traffic detected: HTTP traffic on port 50268 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50268
Source: unknown	Network traffic detected: HTTP traffic on port 50269 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50269
Source: unknown	Network traffic detected: HTTP traffic on port 50270 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50270
Source: unknown	Network traffic detected: HTTP traffic on port 50272 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50272
Source: unknown	Network traffic detected: HTTP traffic on port 50273 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50273
Source: unknown	Network traffic detected: HTTP traffic on port 50274 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50274
Source: unknown	Network traffic detected: HTTP traffic on port 50275 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50275
Source: unknown	Network traffic detected: HTTP traffic on port 50276 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50276
Source: unknown	Network traffic detected: HTTP traffic on port 50277 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50277
Source: unknown	Network traffic detected: HTTP traffic on port 50278 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50278
Source: unknown	Network traffic detected: HTTP traffic on port 50281 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50281
Source: unknown	Network traffic detected: HTTP traffic on port 50282 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50282
Source: unknown	Network traffic detected: HTTP traffic on port 50283 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50283
Source: unknown	Network traffic detected: HTTP traffic on port 50284 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50284
Source: unknown	Network traffic detected: HTTP traffic on port 50285 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50285
Source: unknown	Network traffic detected: HTTP traffic on port 50286 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50286
Source: unknown	Network traffic detected: HTTP traffic on port 50287 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50287
Source: unknown	Network traffic detected: HTTP traffic on port 50288 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50288
Source: unknown	Network traffic detected: HTTP traffic on port 50289 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50289
Source: unknown	Network traffic detected: HTTP traffic on port 50290 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50290
Source: unknown	Network traffic detected: HTTP traffic on port 50291 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50291
Source: unknown	Network traffic detected: HTTP traffic on port 50292 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50292
Source: unknown	Network traffic detected: HTTP traffic on port 50293 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50293
Source: unknown	Network traffic detected: HTTP traffic on port 50294 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50294
Source: unknown	Network traffic detected: HTTP traffic on port 50295 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50295
Source: unknown	Network traffic detected: HTTP traffic on port 50296 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50296
Source: unknown	Network traffic detected: HTTP traffic on port 50297 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50297
Source: unknown	Network traffic detected: HTTP traffic on port 50298 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50298
Source: unknown	Network traffic detected: HTTP traffic on port 50300 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50300
Source: unknown	Network traffic detected: HTTP traffic on port 50301 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50301
Source: unknown	Network traffic detected: HTTP traffic on port 50302 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50302
Source: unknown	Network traffic detected: HTTP traffic on port 50304 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50304
Source: unknown	Network traffic detected: HTTP traffic on port 50305 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50305
Source: unknown	Network traffic detected: HTTP traffic on port 50306 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50306
Source: unknown	Network traffic detected: HTTP traffic on port 50307 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50307
Source: unknown	Network traffic detected: HTTP traffic on port 50308 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50308
Source: unknown	Network traffic detected: HTTP traffic on port 50309 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50309
Source: unknown	Network traffic detected: HTTP traffic on port 50310 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50310
Source: unknown	Network traffic detected: HTTP traffic on port 50311 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50311
Source: unknown	Network traffic detected: HTTP traffic on port 50313 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50313

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe

Code function: 3_2_00007FF63B47CC64 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00007FF63B47CC64

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	API/Special instruction interceptor: Address: 6C317C44
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	API/Special instruction interceptor: Address: 6C317C44
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	API/Special instruction interceptor: Address: 6C317945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C313B54

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: A40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2910000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: C60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: C80000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 28C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 48C0000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 2083			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7608			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISRT.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2008.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\igbbbmfix	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2180.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hxyamwavxtmtm	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_3-8970
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_3-8497

Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe

API coverage: 0.9 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Registry key enumerated: More than 220 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7812	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7812	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -56891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7812	Thread sleep time: -59886s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -50375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7812	Thread sleep time: -59766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -59136s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7812	Thread sleep time: -59656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -55078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7812	Thread sleep time: -59546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -37220s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7812	Thread sleep time: -59438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -59918s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7812	Thread sleep time: -59280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7812	Thread sleep time: -59131s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7812	Thread sleep time: -59003s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -49958s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -43003s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -46947s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -46878s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -53997s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7936	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -43109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -57305s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -47952s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -52444s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -50569s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -55857s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -33962s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -43060s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -56392s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -56976s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -54279s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -54316s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -31013s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -31306s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -52339s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -38080s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7752	Thread sleep time: -59115s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5300	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C6320D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,		13_2_6C6320D0
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_6C1020D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,		14_2_6C1020D0

Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe

Code function: 13_2_6C65F71A VirtualQuery,GetSystemInfo,

13_2_6C65F71A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59136	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37220	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59918	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59131	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49958	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46947	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46878	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53997	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57305	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52444	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50569	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55857	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33962	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43060	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56392	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56976	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54279	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54316	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31013	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31306	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52339	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38080	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59115	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: ISRT.dll.2.dr	Binary or memory string: _GetVirtualMachineType
Source: ISRT.dll.2.dr	Binary or memory string: _IsVirtualMachine
Source: cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 00000019.00000002.2304030771.000000000499B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: MSBuild.exe, 00000017.00000002.4143381506.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$^
Source: ISRT.dll.2.dr	Binary or memory string: AddIconCallDLLFnComponentViewCreateWindowComponentViewDestroyComponentViewRefreshComponentViewSelectAllComponentViewSetInfoComponentViewSetInfoExCreateFolderDeleteFolderDeleteIconEnableHourGlassEnumFoldersItemsGetCPUTypeGetFontSubGetHandleGetPortsGetSelectedItemStateIsEmptyIsNTAdminIsOSTypeNTIsObjectIsPowerUserLangLoadStringMessageBeepPPathCompactPathPixelPathCrackUrlPathGetDirPathGetDrivePathGetFilePathGetFileExtPathGetFileNamePathGetLongFromShortPathGetPathPathIsValidSyntaxQueryIconReadArrayPropertyReadBoolPropertyReadNumberPropertyReplaceIconShowFolderTextSubSubstituteVerGetFileVersionWriteArrayPropertyWriteBoolPropertyWriteNumberPropertyWriteStringProperty_AppSearch_BrowseForFolder_CCPSearch_CHARArrayToWCHARArray_CalculateAndAddFileCost_CleanupInet_CloseFile_CmdGetHwndDlg_CmdGetMsg_CmdGetParam1_CmdGetParam2_CoGetObject_CompareDWORD_ComponentAddItem_ComponentCompareSizeRequired_ComponentError_ComponentErrorInfo_ComponentFileEnum_ComponentFileInfo_ComponentFilterLanguage_ComponentFilterOS_ComponentGetCost_ComponentGetCostEx_ComponentGetData_ComponentGetItemSize_ComponentGetTotalCost_ComponentGetTotalCostEx_ComponentInitialize_ComponentIsItemSelected_ComponentListItems_ComponentLoadTarget_ComponentMoveData_ComponentPatch_ComponentReinstall_ComponentRemoveAll_ComponentRemoveAllInLogOnly_ComponentSaveTarget_ComponentSelectItem_ComponentSelectNew_ComponentSetData_ComponentSetupTypeEnum_ComponentSetupTypeGetData_ComponentSetupTypeSet_ComponentTotalSize_ComponentTransferData_ComponentUpdate_ComponentValidate_ComponentViewCreate_ComponentViewQueryInfo_CopyBytes_CreateDir_CreateObject_CreateRegistrySet_CreateShellObjects_CtrlGetNotificationCode_CtrlGetParentWindowHelper_CtrlGetSubCommand_CtrlGetUrlForLinkClicked_CtrlSetHtmlContent_CtrlSetMLERichText_CtrlSetMLERichTextEx_DIFxDriverPackageGetPath_DIFxDriverPackageInstall_DIFxDriverPackagePreinstall_DIFxDriverPackageUninstall_DefineDialog_DeleteCHARArray_DialogSetFont_DisableBranding_DisableStatus_Divide_DoInstall_DoSprintf_DotNetCoCreateObject_DotNetUnloadAppDomain_EnableDialogCache_EnablePrevDialog_EnableSkins_EnableStatus_EnableWow64FsRedirection_EndDialog_ExistsDir_ExistsDisk_ExistsFile_ExitInstall_FeatureAddCost_FeatureAddUninstallCost_FeatureGetCost_FeatureInitialize_FeatureSpendCost_FeatureSpendUninstallCost_FileCopy_FloatingPointOperation_GenerateFileMD5SignatureHex_GetByte_GetCurrentDialogName_GetDiskInfo_GetDiskSpaceEx_GetDiskSpaceExEx_GetFont_GetGlobalFlags_GetGlobalMemorySize_GetInetFileSize_GetInetFileTime_GetLine_GetLineSize_GetObject_GetObjectByIndex_GetObjectCount_GetProcessorInfo_GetRunningChildProcess_GetRunningChildProcessEx_GetRunningChildProcessEx2_GetSelectedTreeComponent_GetStandardLangId_GetSupportDir_GetSystemDpi_GetTrueTypeFontFileInfo_GetVirtualMachineType_InetEndofTransfer_InetGetLastError_InetGetNextDisk_InitInstall_IsFontTypefaceNameAvailable_IsInAdminGroup_IsLangSupported_IsSkinLoaded_IsVirtualMachine_IsWindowsME_IsWow64_KillProcesses_ListAddItem_ListAddString_ListCount_List

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe

API call chain: ExitProcess graph end node

graph_3-8972

Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe

Code function: 3_2_00007FF63B47D098 __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException,

3_2_00007FF63B47D098

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe

Code function: 3_2_00007FF63B483008 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_00007FF63B483008

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe

Code function: 3_2_00007FF63B476D00 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

3_2_00007FF63B476D00

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe

Code function: 3_2_00007FF63B47CAE4 GetProcessHeap,

3_2_00007FF63B47CAE4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Code function: 3_2_00007FF63B47DCD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF63B47DCD4
Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe	Code function: 3_2_00007FF63B4807D8 SetUnhandledExceptionFilter,	3_2_00007FF63B4807D8
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_00EE27E0 SetUnhandledExceptionFilter,	13_2_00EE27E0
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_00EE264A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00EE264A
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_00EE2529 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00EE2529
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C65EEB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_6C65EEB8
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_6C65F27B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_6C65F27B
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_00D127E0 SetUnhandledExceptionFilter,	14_2_00D127E0
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_00D1264A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00D1264A
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_00D12529 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00D12529
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_6C12EEB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_6C12EEB8
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_6C12F27B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_6C12F27B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	NtQuerySystemInformation: Direct from: 0x6C193538	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	NtQuerySystemInformation: Direct from: 0x6C6A3538
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	NtProtectVirtualMemory: Direct from: 0x6C282AF6	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	NtProtectVirtualMemory: Direct from: 0x6B022B4D
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B0B1000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 767008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B0B1000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7D5008

Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: GELEPLLV.msi, MSI2180.tmp.0.dr	Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: GELEPLLV.msi, MSI2180.tmp.0.dr	Binary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIES

Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe

Code function: 13_2_00EE2835 cpuid

13_2_00EE2835

Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: _Getdateorder,___lc_locale_name_func,__crtGetLocaleInfoEx,	13_2_6C647770
Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: __crtGetLocaleInfoEx,GetLocaleInfoEx,?isfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEXXZ,GetLocaleInfoEx,GetLocaleInfoW,	13_2_6C62C160
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: _Getdateorder,___lc_locale_name_func,__crtGetLocaleInfoEx,	14_2_6C117770
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: __crtGetLocaleInfoEx,GetLocaleInfoEx,?isfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEXXZ,GetLocaleInfoEx,GetLocaleInfoW,	14_2_6C0FC160

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\{6B7B1304-020A-4C07-94BF-9DA50C0AC2F1}\ISBEW64.exe

Code function: 3_2_00007FF63B481128 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00007FF63B481128

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 25.2.cmd.exe.4f800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5df00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cmd.exe.4f800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.MSBuild.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5df00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2012956923.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2304532163.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2303821346.0000000000902000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2720, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\igbbbmfix, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\hxyamwavxtmtm, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7728, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match	File source: 25.2.cmd.exe.4f800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5df00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cmd.exe.4f800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.MSBuild.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5df00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2012956923.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2304532163.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2303821346.0000000000902000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2720, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\igbbbmfix, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\hxyamwavxtmtm, type: DROPPED

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 25.2.cmd.exe.4f800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5df00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.cmd.exe.4f800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.MSBuild.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5df00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2012956923.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2304532163.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2303821346.0000000000902000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2720, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\igbbbmfix, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\hxyamwavxtmtm, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7728, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\{9B76187E-770E-4DA5-BBE1-15F96754ECC5}\SplashWin.exe	Code function: 13_2_00EE13A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,		13_2_00EE13A0
Source: C:\Users\user\AppData\Roaming\Controltool_irh\SplashWin.exe	Code function: 14_2_00D113A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,		14_2_00D113A0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	221 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	11 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	212 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	247 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	451 Security Software Discovery	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	12 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	241 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	241 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GELEPLLV.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
GELEPLLV.msi