Windows Analysis Report
mxywHBknfo.exe

Overview

General Information

Sample name: mxywHBknfo.exe
renamed because original name is a hash value
Original sample name: a15ddd90e6ad35fc8896d7d613d0d178bdc29a9353128e6b5b4e177abcb8195f.exe
Analysis ID: 1564530
MD5: a439025e40533f6e78c74fe8e9ce9875
SHA1: 6ae40c35d089fd05b521affda29c205effdf9928
SHA256: a15ddd90e6ad35fc8896d7d613d0d178bdc29a9353128e6b5b4e177abcb8195f
Tags: 45-141-84-168exeuser-JAMESWT_MHT
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nuoe Avira: detection malicious, Label: TR/Agent.wzofw
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nuoe ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\wwiqmn ReversingLabs: Detection: 68%
Multi AV Scanner detection for submitted file
Source: mxywHBknfo.exe ReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nuoe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:50056 version: TLS 1.2
Source: mxywHBknfo.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ntdll.pdb source: mxywHBknfo.exe, 00000000.00000002.2053766503.000002A534E00000.00000004.00000800.00020000.00000000.sdmp, mxywHBknfo.exe, 00000000.00000002.2045946664.000002A532786000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: more.com, 00000002.00000002.2201079464.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000002.00000002.2200682124.00000000044DD000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000008.00000002.2347497608.0000000004E57000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000008.00000002.2347732031.0000000005330000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: mxywHBknfo.exe, 00000000.00000002.2053766503.000002A534E00000.00000004.00000800.00020000.00000000.sdmp, mxywHBknfo.exe, 00000000.00000002.2045946664.000002A532786000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: more.com, 00000002.00000002.2201079464.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000002.00000002.2200682124.00000000044DD000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000008.00000002.2347497608.0000000004E57000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000008.00000002.2347732031.0000000005330000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 06A5E245h 5_2_06A5DC1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 06A5E245h 5_2_06A5E221

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49718 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.5:49718
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49724 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49722 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49721 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49743 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49736 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49751 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49768 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49748 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49730 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49774 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49784 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49793 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49787 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49780 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49720 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49723 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49737 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49805 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49799 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49813 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49808 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49819 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49822 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49826 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49831 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49836 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49839 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49755 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49852 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49761 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49871 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49766 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49876 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49878 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49884 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49888 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49892 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49903 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49897 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49910 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49909 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49913 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49916 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49844 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49920 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49915 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49929 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.5:49920
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49906 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49932 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49923 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49928 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49935 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49938 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49848 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.5:49932
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49943 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49947 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49862 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49952 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49956 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49858 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49960 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49867 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49908 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49966 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49973 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49969 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49974 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49980 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49984 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49988 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49993 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50003 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50006 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50011 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:49999 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50015 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.5:49973
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50016 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50019 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50023 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50028 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50025 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50032 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50037 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.5:50015
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50041 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.5:50028
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50044 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50050 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50053 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50057 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50062 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50064 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50067 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50072 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50074 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50075 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50077 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50076 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50078 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50079 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50080 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50081 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50082 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.5:50077
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50083 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50084 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50085 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50086 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50087 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50088 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50089 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50090 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50091 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50073 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50093 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50094 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.5:50088
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.5:50074
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50096 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50097 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50098 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50095 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50100 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50099 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50101 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50102 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50103 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50104 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50105 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50106 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50108 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.5:50095
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.5:50100
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50109 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50111 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50112 -> 45.141.84.168:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50110 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50113 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50114 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50115 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50116 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50117 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50118 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.84.168:15647 -> 192.168.2.5:50112
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50119 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50120 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50121 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50122 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50123 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50125 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50126 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50127 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50128 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50129 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50130 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50131 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50132 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50133 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50134 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50135 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50136 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50138 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50092 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50124 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.5:50137 -> 45.141.84.168:9000
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 45.141.84.168 ports 9000,1,4,5,6,7,15647
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 49876 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 49888 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 49903 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49903
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49906
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49915
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49923
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49928
Source: unknown Network traffic detected: HTTP traffic on port 49935 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49935
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 49947 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 49960 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 49993 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 50019 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50025
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 50041 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 50044 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 50053 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 50062 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50062
Source: unknown Network traffic detected: HTTP traffic on port 50064 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 50067 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 50075 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 50076 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 50078 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50079
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 50082 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 50084 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 50086 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 50087 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50087
Source: unknown Network traffic detected: HTTP traffic on port 50089 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 50090 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 50091 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 50092 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 50096 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50096
Source: unknown Network traffic detected: HTTP traffic on port 50097 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50097
Source: unknown Network traffic detected: HTTP traffic on port 50098 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50098
Source: unknown Network traffic detected: HTTP traffic on port 50099 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50099
Source: unknown Network traffic detected: HTTP traffic on port 50101 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 50102 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50102
Source: unknown Network traffic detected: HTTP traffic on port 50103 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 50104 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50104
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 50109 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 50110 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 50113 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 50115 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50115
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 50117 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50117
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 50119 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50119
Source: unknown Network traffic detected: HTTP traffic on port 50120 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50120
Source: unknown Network traffic detected: HTTP traffic on port 50121 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50121
Source: unknown Network traffic detected: HTTP traffic on port 50122 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50122
Source: unknown Network traffic detected: HTTP traffic on port 50123 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50123
Source: unknown Network traffic detected: HTTP traffic on port 50124 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50124
Source: unknown Network traffic detected: HTTP traffic on port 50125 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50125
Source: unknown Network traffic detected: HTTP traffic on port 50126 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50126
Source: unknown Network traffic detected: HTTP traffic on port 50127 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50127
Source: unknown Network traffic detected: HTTP traffic on port 50128 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50128
Source: unknown Network traffic detected: HTTP traffic on port 50129 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50129
Source: unknown Network traffic detected: HTTP traffic on port 50130 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50130
Source: unknown Network traffic detected: HTTP traffic on port 50131 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50131
Source: unknown Network traffic detected: HTTP traffic on port 50132 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50132
Source: unknown Network traffic detected: HTTP traffic on port 50133 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50133
Source: unknown Network traffic detected: HTTP traffic on port 50134 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50134
Source: unknown Network traffic detected: HTTP traffic on port 50135 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50135
Source: unknown Network traffic detected: HTTP traffic on port 50136 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50136
Source: unknown Network traffic detected: HTTP traffic on port 50137 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50137
Source: unknown Network traffic detected: HTTP traffic on port 50138 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50138
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49718 -> 45.141.84.168:15647
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.141.84.168 45.141.84.168
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MEDIALAND-ASRU MEDIALAND-ASRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49722 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49721 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49736 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49768 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49723 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49787 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49737 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49799 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49813 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49819 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49836 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49755 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49871 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49878 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49884 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49903 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49906 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49915 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49923 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49928 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49935 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49938 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49943 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49947 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49952 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49956 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49960 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49966 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49969 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49974 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49980 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49984 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49988 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50006 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49999 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50032 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50050 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50057 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50076 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50079 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50080 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50081 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50082 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50083 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50086 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50089 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50090 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50094 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50099 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50103 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50105 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50106 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50109 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50110 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50113 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50114 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50115 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50116 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50117 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50118 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50119 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50120 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50121 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50122 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50123 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50125 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50126 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50127 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50128 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50129 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50130 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50131 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50132 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50133 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50134 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50135 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50136 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50138 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50124 -> 45.141.84.168:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50137 -> 45.141.84.168:9000
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.84.168
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 45.141.84.168:9000
Source: MSBuild.exe, 00000005.00000002.4498432373.00000000027E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.4498432373.00000000027BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.141.84.168
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002711000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.141.84.168:9000
Source: MSBuild.exe, 00000005.00000002.4498432373.00000000027E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.4498432373.0000000002711000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.4498432373.00000000027AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.141.84.168:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F
Source: MSBuild.exe, 00000005.00000002.4498432373.00000000027E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.141.84.168:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4FP
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: mxywHBknfo.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: mxywHBknfo.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: mxywHBknfo.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002711000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: mxywHBknfo.exe String found in binary or memory: http://vovsoft.com
Source: mxywHBknfo.exe String found in binary or memory: http://vovsoft.com/
Source: mxywHBknfo.exe String found in binary or memory: http://vovsoft.com/blog/how-to-activate-using-license-key/open
Source: mxywHBknfo.exe String found in binary or memory: http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/
Source: mxywHBknfo.exe String found in binary or memory: http://vovsoft.com/help/
Source: mxywHBknfo.exe String found in binary or memory: http://vovsoft.comopen
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: mxywHBknfo.exe String found in binary or memory: http://www.indyproject.org/
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A53548E000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.000000000483D000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.00000000051BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: MSBuild.exe, 00000005.00000002.4505684228.000000000382E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000005.00000002.4505684228.000000000382E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 00000005.00000002.4505684228.000000000382E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 00000005.00000002.4505684228.000000000382E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: MSBuild.exe, 00000005.00000002.4505684228.000000000382E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 00000005.00000002.4505684228.000000000382E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 00000005.00000002.4505684228.000000000382E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 0000000A.00000002.2351000045.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/cLika3dt
Source: MSBuild.exe, 0000000A.00000002.2351000045.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/cLika3dtPO
Source: mxywHBknfo.exe String found in binary or memory: https://vovsoft.com/blog/credits-and-acknowledgements/H
Source: mxywHBknfo.exe String found in binary or memory: https://vovsoft.com/translation/
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.2200961011.0000000004885000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: MSBuild.exe, 00000005.00000002.4505684228.000000000382E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 00000005.00000002.4505684228.000000000382E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: mxywHBknfo.exe String found in binary or memory: https://www.karenware.com/powertools/ptwhois0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:50056 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A5C3F8 SetWindowsHookExW 0000000D,00000000,?,? 5_2_06A5C3F8

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.2.MSBuild.exe.d00000.0.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 2.2.more.com.5aa00c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 8.2.more.com.5c200c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 8.2.more.com.5c200c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 2.2.more.com.5aa00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\nuoe, type: DROPPED Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\wwiqmn, type: DROPPED Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\mxywHBknfo.exe Code function: 0_2_00BE446E NtQuerySystemInformation, 0_2_00BE446E
Detected potential crypto function
Source: C:\Users\user\Desktop\mxywHBknfo.exe Code function: 0_2_00BE7E91 0_2_00BE7E91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00840040 5_2_00840040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00840012 5_2_00840012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DBC880 5_2_00DBC880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DB1070 5_2_00DB1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DBB01F 5_2_00DBB01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DBD110 5_2_00DBD110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DB15E0 5_2_00DB15E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DBA8F9 5_2_00DBA8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DBC862 5_2_00DBC862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DBA908 5_2_00DBA908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DBD0F3 5_2_00DBD0F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DBB09E 5_2_00DBB09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DB1060 5_2_00DB1060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DB15C3 5_2_00DB15C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DBBD45 5_2_00DBBD45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DBBD78 5_2_00DBBD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_068DB810 5_2_068DB810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_068DC027 5_2_068DC027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_068D4858 5_2_068D4858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_068DD9D0 5_2_068DD9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_068D768B 5_2_068D768B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_068D94ED 5_2_068D94ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_068DA010 5_2_068DA010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_068D0040 5_2_068D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_068D4843 5_2_068D4843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_068DD9C0 5_2_068DD9C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_068D9508 5_2_068D9508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A54790 5_2_06A54790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A51730 5_2_06A51730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A52CA8 5_2_06A52CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A53460 5_2_06A53460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A5B468 5_2_06A5B468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A50C70 5_2_06A50C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A56C48 5_2_06A56C48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A55388 5_2_06A55388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A5E3E2 5_2_06A5E3E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A56308 5_2_06A56308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A558B0 5_2_06A558B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A57878 5_2_06A57878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A51729 5_2_06A51729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A52F58 5_2_06A52F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A52C97 5_2_06A52C97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A50C60 5_2_06A50C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A58552 5_2_06A58552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A5CA21 5_2_06A5CA21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A5CA30 5_2_06A5CA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A5DB88 5_2_06A5DB88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A5537B 5_2_06A5537B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A55896 5_2_06A55896
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_06A50040 5_2_06A50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_071F62E0 5_2_071F62E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_071FDCA0 5_2_071FDCA0
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Code function: 7_2_000001F3DB486C5C 7_2_000001F3DB486C5C
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Code function: 7_2_000001F3DB485560 7_2_000001F3DB485560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_02DC1070 10_2_02DC1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_02DCB01F 10_2_02DCB01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_02DC15E0 10_2_02DC15E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_02DCB09E 10_2_02DCB09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_02DC1060 10_2_02DC1060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_02DC15C3 10_2_02DC15C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_02DCA8A7 10_2_02DCA8A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_02DCA908 10_2_02DCA908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_02DCBD45 10_2_02DCBD45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_02DCBD78 10_2_02DCBD78
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nuoe A499ADF007DF84FC58178A1FD861138C078731760BEA948501259C8E83E19783
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\wwiqmn A499ADF007DF84FC58178A1FD861138C078731760BEA948501259C8E83E19783
PE / OLE file has an invalid certificate
Source: mxywHBknfo.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: mxywHBknfo.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file contains more sections than normal
Source: mxywHBknfo.exe Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: mxywHBknfo.exe, 00000000.00000002.2044798756.000002A5308C2000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePTWhoIs.exeFE2Xi vs mxywHBknfo.exe
Source: mxywHBknfo.exe, 00000000.00000002.2047392929.000002A534DA2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePTWhoIs.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs mxywHBknfo.exe
Source: mxywHBknfo.exe, 00000000.00000002.2057095301.000002A5356B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamezip.exe( vs mxywHBknfo.exe
Source: mxywHBknfo.exe, 00000000.00000000.2026307677.0000000001448000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePTWhoIs.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs mxywHBknfo.exe
Source: mxywHBknfo.exe, 00000000.00000002.2045946664.000002A5328FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs mxywHBknfo.exe
Source: mxywHBknfo.exe, 00000000.00000002.2044798756.000002A530953000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: )\StringFileInfo\040904B0\OriginalFileName vs mxywHBknfo.exe
Source: mxywHBknfo.exe, 00000000.00000002.2047392929.000002A534415000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs mxywHBknfo.exe
Source: mxywHBknfo.exe, 00000000.00000002.2047392929.000002A534415000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \OriginalFileName vs mxywHBknfo.exe
Source: mxywHBknfo.exe, 00000000.00000000.2025389182.0000000000A91000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs mxywHBknfo.exe
Source: mxywHBknfo.exe, 00000000.00000000.2025389182.0000000000A91000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: \OriginalFileName vs mxywHBknfo.exe
Source: mxywHBknfo.exe, 00000000.00000002.2053766503.000002A534F86000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs mxywHBknfo.exe
Source: mxywHBknfo.exe Binary or memory string: OriginalFileName vs mxywHBknfo.exe
Source: mxywHBknfo.exe Binary or memory string: \OriginalFileName vs mxywHBknfo.exe
Source: mxywHBknfo.exe Binary or memory string: OriginalFilenamePTWhoIs.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs mxywHBknfo.exe
Yara signature match
Source: 10.2.MSBuild.exe.d00000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.more.com.5aa00c8.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 8.2.more.com.5c200c8.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 8.2.more.com.5c200c8.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.more.com.5aa00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\nuoe, type: DROPPED Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\wwiqmn, type: DROPPED Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.more.com.5aa00c8.7.raw.unpack, -Module-.cs Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.more.com.5c200c8.7.raw.unpack, -Module-.cs Cryptographic APIs: 'CreateDecryptor'
Source: mxywHBknfo.exe, 00000000.00000002.2044215666.000002A530739000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;.VBp
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@12/56@0/1
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Roaming\sto Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Mutant created: \Sessions\1\BaseNamedObjects\VOVSOFT_Window_Resizer
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\a381c7bea27345e09604787bfabaa590
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03
Source: C:\Users\user\Desktop\mxywHBknfo.exe File created: C:\Users\user\AppData\Local\Temp\32d8a5fc Jump to behavior
Source: mxywHBknfo.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\mxywHBknfo.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\more.com File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mxywHBknfo.exe ReversingLabs: Detection: 50%
Source: mxywHBknfo.exe String found in binary or memory: NATS-SEFI-ADD
Source: mxywHBknfo.exe String found in binary or memory: NATS-DANO-ADD
Source: mxywHBknfo.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: mxywHBknfo.exe String found in binary or memory: jp-ocr-b-add
Source: mxywHBknfo.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: mxywHBknfo.exe String found in binary or memory: jp-ocr-hand-add
Source: mxywHBknfo.exe String found in binary or memory: ISO_6937-2-add
Source: mxywHBknfo.exe String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: mxywHBknfo.exe String found in binary or memory: application/vnd.groove-help
Source: mxywHBknfo.exe String found in binary or memory: "application/x-install-instructions
Source: C:\Users\user\Desktop\mxywHBknfo.exe File read: C:\Users\user\Desktop\mxywHBknfo.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\mxywHBknfo.exe "C:\Users\user\Desktop\mxywHBknfo.exe"
Source: C:\Users\user\Desktop\mxywHBknfo.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\sto\coml.exe "C:\Users\user\AppData\Roaming\sto\coml.exe"
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\mxywHBknfo.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CACAF262-9370-4615-A13B-9F5539DA4C0A}\InProcServer32 Jump to behavior
Source: dfumajfyesp.2.dr LNK file: ..\..\Roaming\sto\coml.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: mxywHBknfo.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: mxywHBknfo.exe Static file information: File size 10115160 > 1048576
Source: mxywHBknfo.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5eba00
Source: mxywHBknfo.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x27b800
Source: mxywHBknfo.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ntdll.pdb source: mxywHBknfo.exe, 00000000.00000002.2053766503.000002A534E00000.00000004.00000800.00020000.00000000.sdmp, mxywHBknfo.exe, 00000000.00000002.2045946664.000002A532786000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: more.com, 00000002.00000002.2201079464.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000002.00000002.2200682124.00000000044DD000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000008.00000002.2347497608.0000000004E57000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000008.00000002.2347732031.0000000005330000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: mxywHBknfo.exe, 00000000.00000002.2053766503.000002A534E00000.00000004.00000800.00020000.00000000.sdmp, mxywHBknfo.exe, 00000000.00000002.2045946664.000002A532786000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: more.com, 00000002.00000002.2201079464.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000002.00000002.2200682124.00000000044DD000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000008.00000002.2347497608.0000000004E57000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000008.00000002.2347732031.0000000005330000.00000004.00001000.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: mxywHBknfo.exe Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DBEC5D push eax; iretd 5_2_00DBEC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DBFB15 push ss; retf 0004h 5_2_00DBFB1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_00DBFB05 push ss; retf 0004h 5_2_00DBFB0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 5_2_068D5D5A push esp; ret 5_2_068D5D61
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Code function: 7_2_00000007D2FED398 push ecx; retf 7_2_00000007D2FED399
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Code function: 7_2_00000007D2FEB884 push ecx; retf 7_2_00000007D2FEB8C9
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Code function: 7_2_00000007D2FEE3B0 pushad ; retf 7_2_00000007D2FEE3B1
Source: nuoe.2.dr Static PE information: section name: .text entropy: 6.816467095523557
Source: wwiqmn.8.dr Static PE information: section name: .text entropy: 6.816467095523557
Drops PE files
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\nuoe Jump to dropped file
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\wwiqmn Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\nuoe Jump to dropped file
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\wwiqmn Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\more.com Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NUOE
Source: C:\Windows\SysWOW64\more.com Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WWIQMN
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 49876 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 49888 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 49903 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49903
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49906
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49915
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49923
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49928
Source: unknown Network traffic detected: HTTP traffic on port 49935 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49935
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 49947 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 49960 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 49993 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 50019 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50025
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 50041 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 50044 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 50053 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 50062 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50062
Source: unknown Network traffic detected: HTTP traffic on port 50064 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 50067 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 50075 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 50076 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 50078 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50079
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 50082 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 50084 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 50086 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 50087 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50087
Source: unknown Network traffic detected: HTTP traffic on port 50089 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 50090 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 50091 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 50092 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 50096 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50096
Source: unknown Network traffic detected: HTTP traffic on port 50097 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50097
Source: unknown Network traffic detected: HTTP traffic on port 50098 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50098
Source: unknown Network traffic detected: HTTP traffic on port 50099 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50099
Source: unknown Network traffic detected: HTTP traffic on port 50101 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 50102 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50102
Source: unknown Network traffic detected: HTTP traffic on port 50103 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 50104 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50104
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 50109 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 50110 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 50113 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 50115 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50115
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 50117 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50117
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 50119 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50119
Source: unknown Network traffic detected: HTTP traffic on port 50120 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50120
Source: unknown Network traffic detected: HTTP traffic on port 50121 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50121
Source: unknown Network traffic detected: HTTP traffic on port 50122 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50122
Source: unknown Network traffic detected: HTTP traffic on port 50123 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50123
Source: unknown Network traffic detected: HTTP traffic on port 50124 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50124
Source: unknown Network traffic detected: HTTP traffic on port 50125 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50125
Source: unknown Network traffic detected: HTTP traffic on port 50126 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50126
Source: unknown Network traffic detected: HTTP traffic on port 50127 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50127
Source: unknown Network traffic detected: HTTP traffic on port 50128 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50128
Source: unknown Network traffic detected: HTTP traffic on port 50129 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50129
Source: unknown Network traffic detected: HTTP traffic on port 50130 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50130
Source: unknown Network traffic detected: HTTP traffic on port 50131 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50131
Source: unknown Network traffic detected: HTTP traffic on port 50132 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50132
Source: unknown Network traffic detected: HTTP traffic on port 50133 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50133
Source: unknown Network traffic detected: HTTP traffic on port 50134 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50134
Source: unknown Network traffic detected: HTTP traffic on port 50135 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50135
Source: unknown Network traffic detected: HTTP traffic on port 50136 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50136
Source: unknown Network traffic detected: HTTP traffic on port 50137 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50137
Source: unknown Network traffic detected: HTTP traffic on port 50138 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 50138
Source: C:\Users\user\Desktop\mxywHBknfo.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\more.com API/Special instruction interceptor: Address: 75323B54
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2710000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 4710000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1220000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2C10000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 7371 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 2212 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\more.com Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nuoe Jump to dropped file
Source: C:\Windows\SysWOW64\more.com Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wwiqmn Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592 Thread sleep time: -480000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -42766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592 Thread sleep time: -59891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592 Thread sleep time: -59781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -56369s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592 Thread sleep time: -59671s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -50891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592 Thread sleep time: -59562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592 Thread sleep time: -59453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592 Thread sleep time: -59344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592 Thread sleep time: -59223s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592 Thread sleep time: -59109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592 Thread sleep time: -59000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592 Thread sleep time: -58891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -56440s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -30253s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6592 Thread sleep time: -58775s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -49311s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -54917s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -37073s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -32257s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -52650s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -34620s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -39041s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -40901s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -43906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -53434s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -51407s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6608 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -39915s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -50319s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -43441s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -54155s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -35129s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1520 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -33581s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -44716s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5700 Thread sleep time: -49931s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3652 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 42766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56369 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 50891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59223 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56440 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30253 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58775 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 49311 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 54917 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 37073 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 32257 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 52650 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 34620 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 39041 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 40901 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 43906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 53434 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 51407 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 39915 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 50319 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 43441 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 54155 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 35129 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 33581 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 44716 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 49931 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: MSBuild.exe, 00000005.00000002.4495509060.00000000009CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: more.com, 00000008.00000002.2347623490.0000000005204000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: MSBuild.exe, 00000005.00000002.4498432373.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: C:\Users\user\Desktop\mxywHBknfo.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtClose: Direct from: 0x7FF8C7E8CDF8
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtClose: Direct from: 0x16F5
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtProtectVirtualMemory: Direct from: 0x18710 Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe NtDelayExecution: Direct from: 0xEBE4EFDEE0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtClose: Direct from: 0x191
Source: C:\Users\user\Desktop\mxywHBknfo.exe NtProtectVirtualMemory: Direct from: 0x2A5309A6FE0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtCreateFile: Direct from: 0x1F300000080 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtProtectVirtualMemory: Direct from: 0x1F3DE62F37E Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtCreateFile: Direct from: 0x700000080 Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe NtProtectVirtualMemory: Direct from: 0x93388ED1F Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtProtectVirtualMemory: Direct from: 0x1F3D9BC6FE0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtProtectVirtualMemory: Direct from: 0x941B3A8A2 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtAllocateVirtualMemory: Direct from: 0x7FF8C7E98E14 Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe NtProtectVirtualMemory: Direct from: 0x2A53567037E Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtAllocateVirtualMemory: Direct from: 0x7FF8C7E860D4 Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe NtReadFile: Direct from: 0x2D4 Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe NtCreateFile: Direct from: 0xEB00000080 Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe NtAllocateVirtualMemory: Direct from: 0x2D8 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtReadFile: Direct from: 0x1EF590 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtReadFile: Direct from: 0x2DC Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtProtectVirtualMemory: Direct from: 0x3 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtDelayExecution: Direct from: 0x7D2FEDDE0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtQuerySystemInformation: Direct from: 0x7FF8C7E86118 Jump to behavior
Source: C:\Users\user\Desktop\mxywHBknfo.exe NtCreateFile: Direct from: 0x2A500000080 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtAllocateVirtualMemory: Direct from: 0x40 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe NtAllocateVirtualMemory: Direct from: 0x2E0 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\mxywHBknfo.exe Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6E551000 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 5E7008 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6E551000 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B23008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\mxywHBknfo.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: mxywHBknfo.exe Binary or memory string: Shell_TrayWnd
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\mxywHBknfo.exe Queries volume information: C:\Users\user\AppData\Local\Temp\32d8a5fc VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\more.com Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sto\coml.exe Queries volume information: C:\Users\user\AppData\Local\Temp\40d10350 VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 10.2.MSBuild.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.more.com.5aa00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.more.com.5c200c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.more.com.5c200c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.more.com.5aa00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2347964696.0000000005C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2201413621.0000000005AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2348008765.0000000000D02000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: more.com PID: 6508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: more.com PID: 6780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3348, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\nuoe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\wwiqmn, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 10.2.MSBuild.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.more.com.5aa00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.more.com.5c200c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.more.com.5c200c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.more.com.5aa00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2347964696.0000000005C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2201413621.0000000005AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2348008765.0000000000D02000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: more.com PID: 6508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: more.com PID: 6780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3348, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\nuoe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\wwiqmn, type: DROPPED

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 10.2.MSBuild.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.more.com.5aa00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.more.com.5c200c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.more.com.5c200c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.more.com.5aa00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2347964696.0000000005C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2201413621.0000000005AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2348008765.0000000000D02000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: more.com PID: 6508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: more.com PID: 6780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 3348, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\nuoe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\wwiqmn, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1564530 Sample: mxywHBknfo.exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 34 Suricata IDS alerts for network traffic 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for dropped file 2->38 40 7 other signatures 2->40 7 mxywHBknfo.exe 2 2->7         started        10 coml.exe 2 2->10         started        process3 signatures4 50 Maps a DLL or memory area into another process 7->50 52 Found direct / indirect Syscall (likely to bypass EDR) 7->52 12 more.com 5 7->12         started        16 more.com 2 10->16         started        process5 file6 28 C:\Users\user\AppData\Local\Temp\nuoe, PE32 12->28 dropped 54 Writes to foreign memory regions 12->54 56 Found hidden mapped module (file has been removed from disk) 12->56 58 Maps a DLL or memory area into another process 12->58 60 Switches to a custom stack to bypass stack traces 12->60 18 MSBuild.exe 15 21 12->18         started        22 conhost.exe 12->22         started        30 C:\Users\user\AppData\Local\Temp\wwiqmn, PE32 16->30 dropped 24 MSBuild.exe 1 16->24         started        26 conhost.exe 16->26         started        signatures7 process8 dnsIp9 32 45.141.84.168, 15647, 49718, 49720 MEDIALAND-ASRU Russian Federation 18->32 42 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->42 44 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->44 46 Contains functionality to register a low level keyboard hook 18->46 48 Tries to harvest and steal browser information (history, passwords, etc) 18->48 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.141.84.168
 unknown Russian Federation
206728 MEDIALAND-ASRU true

Contacted Domains

Name IP Active
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.141.84.168:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F true
  • Avira URL Cloud: safe
 unknown