Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe
Analysis ID:	1528522
MD5:	34c8e1d5de3565d30012425d880ab514
SHA1:	866082315a5cdea3d26d8edc905065f509158f61
SHA256:	fb128fb5731c85a480df19fdb74925d5200b1729cf7478a088ec31c0ba944fba
Tags:	AdwareGenericexe
Infos:

Detection

Score:	30
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Malicious sample detected (through community Yara rule)

PE file has nameless sections

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to evade debugger and weak emulator (self modifying code)

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Form action URLs do not match main URL

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTML page contains hidden javascript code

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Signatures

Form action URLs do not match main URL

Source: https://www.highmotionsoftware.com/products/imbatch/thankyou

HTTP Parser: Form action: https://www.bolidesoft.com/ssendy/subscribe highmotionsoftware bolidesoft

HTML page contains hidden javascript code

Source: https://www.highmotionsoftware.com/products/imbatch/thankyou

HTTP Parser: Base64 decoded: RS}r*dq?W

Source: https://www.highmotionsoftware.com/products/imbatch/thankyou

HTTP Parser: Iframe src: //www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FImBatch&width=550&height=290&show_faces=true&colorscheme=light&stream=false&border_color&header=true&appId=254901247880888

Source: https://www.highmotionsoftware.com/products/imbatch/thankyou

HTTP Parser: No favicon

Source: https://www.highmotionsoftware.com/products/imbatch/thankyou

HTTP Parser: No <meta name="author".. found

Source: https://www.highmotionsoftware.com/products/imbatch/thankyou

HTTP Parser: No <meta name="copyright".. found

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49713 version: TLS 1.0

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.164.223:443 -> 192.168.2.8:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.193.111.117:443 -> 192.168.2.8:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49885 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Develop\VisualStudio\DirectXTex\DirectXTex-master\DirectXTex\Bin\Desktop_2017\Win32\Release\DirectXTex.pdb source: ImBatch.exe, 00000004.00000002.4048877363.000000006E6A2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\Develop\VisualStudio\heif\Release\heif.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1668038621.000000000018C000.00000004.00000010.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4049911354.000000006EB0F000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: {D:\Develop\VisualStudio\DirectXTex\DirectXTex-master\DirectXTex\Bin\Desktop_2017\Win32\Release\DirectXTex.pdb source: ImBatch.exe, 00000004.00000002.4048877363.000000006E6A2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\Delphi Projects\ImBatchContextMenu\x64\Release\ImBatchContextMenuHandler-x64.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Delphi Projects\ImBatchContextMenu\Release\ImBatchContextMenuHandler.pdb! source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: YD:\Delphi Projects\ImBatchContextMenu\x64\Release\ImBatchContextMenuHandler-x64.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Develop\VisualStudio\webp\Output\Win32\Release\webp.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4048026498.000000006D4B1000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Delphi Projects\PhotoshopHost\pspiHost\Out\Win32\Release\pspiHost.pdb source: ImBatch.exe, 00000004.00000002.4040195438.000000006C5DA000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\Delphi Projects\ImBatchContextMenu\Release\ImBatchContextMenuHandler.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE3A3CC FindFirstFileW,FindClose,	4_2_0EE3A3CC
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE39E64 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	4_2_0EE39E64
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE44A84 FindFirstFileW,FindClose,	4_2_0EE44A84
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1023590A FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	4_2_1023590A
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1000D580 FindFirstFileA,FindFirstFileA,FindFirstFileA,	4_2_1000D580
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5D28DF FindFirstFileExW,	4_2_6C5D28DF
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5CD344 FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy,	4_2_6C5CD344

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4x nop then mov eax, 00002018h

4_2_1000475A

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: POST /bc/put.php?v=1&pid=110&w=cd&cid={DC960FFD-14A7-48B7-83D1-6FA0A6445A05}&h=1a5f27020f5d05939025c0cc7616f480 HTTP/1.1Host: www.bolidesoft.com:443Content-Type: multipart/form-data; boundary=--------100724184117203Content-Length: 4272Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=5af2178aef7e776b5dd854a267c1cd0f

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.16.79.73 104.16.79.73
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49787 -> 172.67.164.223:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49782 -> 172.67.164.223:443

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49713 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.74
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.74
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.74

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cL3SfTB3m4YLydf&MD=8HgmYluO HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /products/imbatch/thankyou HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /vi/m4a7nHpFuzw/0.jpg HTTP/1.1Host: img.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIk6HLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /imbatch/localized.svg HTTP/1.1Host: badges.crowdin.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/system/system.base.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/system/system.menus.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/system/system.messages.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/system/system.theme.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/comment/comment.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/field/theme/field.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /vi/gMkjyUNksR4/0.jpg HTTP/1.1Host: img.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIk6HLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /vi/vx4aQB92rWE/0.jpg HTTP/1.1Host: img.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIk6HLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/node/node.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/search/search.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/user/user.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/ctools/css/ctools.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/locale/locale.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/css/superfish.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /vi/vx4aQB92rWE/0.jpg HTTP/1.1Host: img.youtube.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIk6HLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/style/coffee.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/style.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery.js?v=1.4.4 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery-extend-3.4.0.js?v=1.4.4 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery-html-prefilter-3.5.0-backport.js?v=1.4.4 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery.once.js?v=1.2 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/drupal.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery-extend-3.4.0.js?v=1.4.4 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/jquery.hoverIntent.minified.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/superfish.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/supersubs.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery-html-prefilter-3.5.0-backport.js?v=1.4.4 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery.once.js?v=1.2 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /upd/imbatch/version HTTP/1.1User-Agent: ImBatchUpdaterHost: www.highmotionsoftware.com
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/superfish/superfish.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery.js?v=1.4.4 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /a/banner/check.php?pid=110&b=762&l=0&f=n&ab=%3CClick%20to%20set%20your%20name%20here%3E&c=91DA9E9C&cid={DC960FFD-14A7-48B7-83D1-6FA0A6445A05}&rc=1&nocache=148 HTTP/1.1User-Agent: ImBatchHost: www.bolidesoft.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /upd/imbatch/url HTTP/1.1User-Agent: ImBatchUpdaterHost: www.highmotionsoftware.com
Source: global traffic	HTTP traffic detected: GET /beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015 HTTP/1.1Host: static.cloudflareinsights.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.highmotionsoftware.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FImBatch&width=550&height=290&show_faces=true&colorscheme=light&stream=false&border_color&header=true&appId=254901247880888 HTTP/1.1Host: www.facebook.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.highmotionsoftware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/content-wrapper.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/navigation-wrapper-2.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/images/arrows-ffffff.png HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/libraries/superfish/css/superfish.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/languageicons/flags/ru.png HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/languageicons/flags/en.png HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/header.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/jquery.hoverIntent.minified.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/drupal.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/superfish.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/supersubs.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/superfish/superfish.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015 HTTP/1.1Host: static.cloudflareinsights.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yK/l/0,cross/O0Uz2Q0jyKe.css HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yw/r/u5OMVLVnVwH.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/y3/r/Vvet8_5H-wT.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3issO4/yc/l/en_US/YYUppJnv9Es.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3i7M54/yL/l/en_US/xKY8pb0-fD_.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v/t39.30808-6/303280254_411128561164160_6605626465690304584_n.jpg?stp=dst-jpg_s526x395&_nc_cat=106&ccb=1-7&_nc_sid=4cb600&_nc_ohc=1I2yrbFI2LYQ7kNvgEsGWmR&_nc_ht=scontent-msp1-1.xx&edm=AEDRbFQEAAAA&_nc_gid=A4syIzp1y9Bx-a7cihdwta0&oh=00_AYCdJGOufY8qZigevwZ9U0PHjEqRvLbmQ_sPWeanTh1Z5w&oe=670A27D3 HTTP/1.1Host: scontent-msp1-1.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yV/r/fZu5tZNIUeX.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/header-wrapper-2.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/help.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/navigation.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/footer-wrapper.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/languageicons/flags/ru.png HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/languageicons/flags/en.png HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/content-wrapper.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/navigation-wrapper-2.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/images/arrows-ffffff.png HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/header.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /v/t39.30808-6/303280254_411128561164160_6605626465690304584_n.jpg?stp=dst-jpg_s526x395&_nc_cat=106&ccb=1-7&_nc_sid=4cb600&_nc_ohc=1I2yrbFI2LYQ7kNvgEsGWmR&_nc_ht=scontent-msp1-1.xx&edm=AEDRbFQEAAAA&_nc_gid=A4syIzp1y9Bx-a7cihdwta0&oh=00_AYCdJGOufY8qZigevwZ9U0PHjEqRvLbmQ_sPWeanTh1Z5w&oe=670A27D3 HTTP/1.1Host: scontent-msp1-1.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yF/r/p55HfXW__mM.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/y3/r/Vvet8_5H-wT.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v/t39.30808-1/305658665_411128564497493_3948090867100769521_n.jpg?stp=cp0_dst-jpg_s50x50&_nc_cat=110&ccb=1-7&_nc_sid=6738e8&_nc_ohc=ILFttH4rPpYQ7kNvgEXQC67&_nc_ht=scontent-msp1-1.xx&edm=AEDRbFQEAAAA&_nc_gid=A4syIzp1y9Bx-a7cihdwta0&oh=00_AYA9WCkZOMo01cK7VhGgG8y9efecxW6MGJWI6xwYX39svg&oe=670A2166 HTTP/1.1Host: scontent-msp1-1.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3issO4/yc/l/en_US/YYUppJnv9Es.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yV/r/fZu5tZNIUeX.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3i7M54/yL/l/en_US/xKY8pb0-fD_.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yw/r/u5OMVLVnVwH.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yF/r/p55HfXW__mM.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yw/r/UXtr_j2Fwe-.png HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://static.xx.fbcdn.net/rsrc.php/v3/yK/l/0,cross/O0Uz2Q0jyKe.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/help.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878; _ga=GA1.1.2068184034.1728340878; _ga_DM0MT881VN=GS1.1.1728340877.1.0.1728340878.0.0.0
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/footer-wrapper.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878; _ga=GA1.1.2068184034.1728340878; _ga_DM0MT881VN=GS1.1.1728340877.1.0.1728340878.0.0.0
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/header-wrapper-2.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878; _ga=GA1.1.2068184034.1728340878; _ga_DM0MT881VN=GS1.1.1728340877.1.0.1728340878.0.0.0
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/navigation.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878; _ga=GA1.1.2068184034.1728340878; _ga_DM0MT881VN=GS1.1.1728340877.1.0.1728340878.0.0.0
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yR/r/PNStWZQ9T-1.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v/t39.30808-1/305658665_411128564497493_3948090867100769521_n.jpg?stp=cp0_dst-jpg_s50x50&_nc_cat=110&ccb=1-7&_nc_sid=6738e8&_nc_ohc=ILFttH4rPpYQ7kNvgEXQC67&_nc_ht=scontent-msp1-1.xx&edm=AEDRbFQEAAAA&_nc_gid=A4syIzp1y9Bx-a7cihdwta0&oh=00_AYA9WCkZOMo01cK7VhGgG8y9efecxW6MGJWI6xwYX39svg&oe=670A2166 HTTP/1.1Host: scontent-msp1-1.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yw/r/UXtr_j2Fwe-.png HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yR/r/PNStWZQ9T-1.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/default/files/favicon.ico HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878; _ga=GA1.1.2068184034.1728340878; _ga_DM0MT881VN=GS1.1.1728340877.1.0.1728340878.0.0.0
Source: global traffic	HTTP traffic detected: GET /sites/default/files/favicon.ico HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878; _ga=GA1.1.2068184034.1728340878; _ga_DM0MT881VN=GS1.1.1728340877.1.0.1728340878.0.0.0
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cL3SfTB3m4YLydf&MD=8HgmYluO HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /ajax/bz?__a=1&__ccg=GOOD&__dyn=7wKxa13wt8K2Wmh0Sw8W5U4e0yoW1DwfG1-wd-4o3Bw5VCwjE3awbG0MU2aw7Bx61vw5zw78w5Uw64w8W1uwc-0pa0h-0Lo6-0uS0ue0QU&__hs=20003.BP%3Aplugin_default_pkg.2.0..0.0&__hsi=7423167547787923565&__req=1&__rev=1017120959&__s=%3A%3Akwak1i&__sp=1&__user=0&dpr=1&jazoest=21864&lsd=zEMCM_Ae440ReJt2zgxGVr HTTP/1.1Host: www.facebook.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: &redirect_uri=fhttps://www.facebook.com/connect/login_success.html equals www.facebook.com (Facebook)
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: 3https://www.facebook.com/connect/login_success.html equals www.facebook.com (Facebook)
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: Vhttps://www.facebook.com/v3.2/dialog/oauth? equals www.facebook.com (Facebook)
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.facebook.com/ImBatchU equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: www.highmotionsoftware.com
Source: global traffic	DNS traffic detected: DNS query: badges.crowdin.net
Source: global traffic	DNS traffic detected: DNS query: img.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: www.bolidesoft.com
Source: global traffic	DNS traffic detected: DNS query: static.cloudflareinsights.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: static.xx.fbcdn.net
Source: global traffic	DNS traffic detected: DNS query: scontent-msp1-1.xx.fbcdn.net

Source: unknown

Source: ImBatch.exe, 00000004.00000002.4032469753.0000000010268000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: ftp://swrinde.nde.swri.edu/pub/mng/documents/.See
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000517C000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010319000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://headhtml%.20s%ddefault%d%.20s
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000517C000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010319000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://medical.nema.org/.
Source: ImBatch.exe, 00000004.00000002.3956213744.0000000002006000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://umich.edu/~shameem)
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.HighMotionSoftware.com/
Source: ImBatch.exe, ImBatch.exe, 00000004.00000002.4017725427.000000000EE31000.00000020.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1444075146.0000000002580000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1682173621.0000000002207000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1450311174.0000000003510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp, is-8GFDD.tmp.2.dr	String found in binary or memory: http://www.eurekalog.com/help/eurekalog/internal_errors.phpEurekaLog
Source: chromecache_296.9.dr	String found in binary or memory: http://www.google-analytics.com
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.highmotionsoftware.com/products/imbatch)
Source: ImBatch.exe, 00000004.00000002.4032469753.0000000010237000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.imagemagick.org
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.imagemagick.org/script/license.php
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.imagemagick.org/www/Notice.html.
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010237000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.imagemagick.org=h#
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010237000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.imagemagick.orgindex.htmlQ16ImageMagick
Source: ImBatch.exe, 00000004.00000002.3954183742.00000000010AE000.00000020.00000001.01000000.00000007.sdmp, ImBatch.exe, 00000004.00000002.4004426872.00000000051EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: ImBatch.exe, 00000004.00000002.4032469753.0000000010268000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.libpng.org/
Source: ImBatch.exe, 00000004.00000002.4032469753.0000000010268000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.libpng.org/pub/mng/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000517C000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010319000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.smtpe.org
Source: ImBatch.exe, 00000004.00000002.4032469753.0000000010319000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.wvware.com/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000517C000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010319000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.wvware.com/c:
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000517C000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010319000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.wvware.com/libwmf:
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://crowdin.com/project/imbatchU
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B8C000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsggc:86:0
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B8C000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascnsrsggc:86:0
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://icons8.ru/
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://imagemagick.org/script/download.php#windowsopen
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: chromecache_296.9.dr	String found in binary or memory: https://ssl.google-analytics.com
Source: chromecache_296.9.dr	String found in binary or memory: https://ssl.google-analytics.com/j/__utm.gif
Source: chromecache_296.9.dr	String found in binary or memory: https://stats.g.doubleclick.net/j/collect?
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.HighMotionSoftware.com)
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1682173621.000000000231C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.HighMotionSoftware.com/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1450311174.0000000003510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.HighMotionSoftware.com/$not
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1682173621.000000000231C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.HighMotionSoftware.com/)
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1444075146.0000000002580000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1450311174.0000000003510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.HighMotionSoftware.com/Fhttps://www.HighMotionSoftware.com/Fhttps://www.HighMotionSoftwa
Source: ImBatch.exe, 00000004.00000002.4039335647.00000000151FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bolidesoft.com/
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.bolidesoft.com/a/activate/activate.php?pid=110&kid=112&hw=
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.bolidesoft.com/a/banner/check.php?pid=110&b=
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bolidesoft.com/a/banner/check.php?pid=110&b=762&l=0&f=n&ab=%3CClick%20to%20set%20your%20
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.bolidesoft.com/bc/put.php?v=1&pid=
Source: ImBatch.exe, 00000004.00000002.3980972653.0000000002324000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bolidesoft.com/bc/put.php?v=1&pid=110&w=cd&cid=
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.google-analytics.com/g/collect?v=2&tid=
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B3B000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007B6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/g/collect?v=2&tid=G-66RSDWSDJF&cid=%7BDC960FFD-14A7-48B7-83D1-6FA0A
Source: chromecache_296.9.dr	String found in binary or memory: https://www.google.%/ads/ga-audiences?
Source: chromecache_296.9.dr	String found in binary or memory: https://www.google.com/analytics/web/inpage/pub/inpage.js?
Source: ImBatch.exe, 00000004.00000002.4039335647.00000000151FE000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/SP.dll1
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/XK=h%
Source: ImBatch.exe, 00000004.00000002.4035000015.0000000014674000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4039335647.00000000151E8000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4027221865.000000000F99D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/download-center/imbatch
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/help/imbatch/filter_taskU
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/imb_order.php?LangID=
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/ll
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/lucent
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1625867605.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1626988732.0000000003D6E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1678242586.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1450311174.0000000003510000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1626988732.0000000003D4D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyou
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1653547838.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1625867605.00000000009A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyou$
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1653547838.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1625867605.00000000009A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyou3
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1670201560.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyou5
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616286651.00000000007D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyouC:
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1678242586.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyouP
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1678242586.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyouW
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1653547838.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1625867605.00000000009A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyoues
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1653547838.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1625867605.00000000009A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyougx
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1678242586.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyoul
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1678242586.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyous
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1678242586.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyouu
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1450311174.0000000003510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/uninstall
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1444075146.0000000002580000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1682173621.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1642823671.0000000002497000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1626988732.0000000003D2A000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1626988732.0000000003D6E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1450311174.0000000003510000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1626988732.0000000003D4D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/ru/products/imbatch/thankyou
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B3B000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp, ImBatch.exe, 00000004.00000002.4007089513.0000000005630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/url
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/urlU
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007B6E000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4039335647.00000000151E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/version
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/versionR
Source: ImBatch.exe, 00000004.00000002.4037746737.0000000014E08000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/versiona
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/versionpp
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1446570727.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1445813136.00000000026C0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000000.1448131608.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1446570727.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1445813136.00000000026C0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000000.1448131608.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.164.223:443 -> 192.168.2.8:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.193.111.117:443 -> 192.168.2.8:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49885 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3DCFE OpenClipboard,

4_2_0EE3DCFE

Contains functionality to modify clipboard data

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3DDC2 SetClipboardData,

4_2_0EE3DDC2

Contains functionality to read the clipboard data

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3DAA6 GetClipboardData,

4_2_0EE3DAA6

Contains functionality to record screenshots

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE85770 GetObjectW,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

4_2_0EE85770

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3DB16 GetKeyboardState,

4_2_0EE3DB16

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.3980690776.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
Source: 00000004.00000002.3980029463.00000000020F8000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
Source: 00000004.00000002.3980029463.00000000020F8000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_d4b38e13 Author: unknown

PE file has nameless sections

Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:

Abnormal high CPU Usage

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Memory allocated: 769B0000 page read and write	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Memory allocated: 756F0000 page read and write	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Memory allocated: 775A0000 page read and write	Jump to behavior

Detected potential crypto function

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_058939D4	4_2_058939D4
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_05896390	4_2_05896390
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_05891E64	4_2_05891E64
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F018C5C	4_2_0F018C5C
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F0111B8	4_2_0F0111B8
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFCFFA0	4_2_0EFCFFA0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF1EF88	4_2_0EF1EF88
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFFBF60	4_2_0EFFBF60
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F089EE0	4_2_0F089EE0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF22F0C	4_2_0EF22F0C
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE38CB4	4_2_0EE38CB4
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F069D78	4_2_0F069D78
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F06BC30	4_2_0F06BC30
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F030C70	4_2_0F030C70
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F095BC0	4_2_0F095BC0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF23650	4_2_0EF23650
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE33704	4_2_0EE33704
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFDC404	4_2_0EFDC404
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF242E8	4_2_0EF242E8
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE8B298	4_2_0EE8B298
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE8A25C	4_2_0EE8A25C
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF243D4	4_2_0EF243D4
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF2339C	4_2_0EF2339C
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFCC380	4_2_0EFCC380
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F0011AC	4_2_0F0011AC
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F06B05C	4_2_0F06B05C
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100299B0	4_2_100299B0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1001B1C0	4_2_1001B1C0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_102301E9	4_2_102301E9
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100ECA60	4_2_100ECA60
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10019A80	4_2_10019A80
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100292D4	4_2_100292D4
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100292F3	4_2_100292F3
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10228B35	4_2_10228B35
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10021B20	4_2_10021B20
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1004D380	4_2_1004D380
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1006ABB0	4_2_1006ABB0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100184F0	4_2_100184F0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10020510	4_2_10020510
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10017570	4_2_10017570
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100EC590	4_2_100EC590
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10058E50	4_2_10058E50
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10054EC0	4_2_10054EC0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10016730	4_2_10016730
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10051FB0	4_2_10051FB0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5D4DDB	4_2_6C5D4DDB
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5CD5A7	4_2_6C5CD5A7
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5C3050	4_2_6C5C3050
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5C5240	4_2_6C5C5240
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5FC4C0	4_2_6C5FC4C0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C62A4C0	4_2_6C62A4C0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5FBCE0	4_2_6C5FBCE0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C618CB0	4_2_6C618CB0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_05894090	4_2_05894090
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_05894E5C	4_2_05894E5C

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 102247E9 appears 65 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10001A60 appears 99 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 102235B0 appears 66 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10005640 appears 79 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10004E10 appears 83 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10001B20 appears 151 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10229110 appears 38 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 0EE690D4 appears 56 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 6C5CCE50 appears 33 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 0EE353D8 appears 56 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10004A10 appears 278 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 0589B59C appears 70 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10007FA0 appears 196 times

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-3GFF4.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-AVM6R.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: is-AVM6R.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

PE file contains more sections than normal

Source: is-GR2NP.tmp.2.dr	Static PE information: Number of sections : 11 > 10
Source: is-8GFDD.tmp.2.dr	Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1445813136.00000000029A9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000000.1443528355.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1446570727.000000007FE15000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1682173621.00000000022E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 00000004.00000002.3980690776.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
Source: 00000004.00000002.3980029463.00000000020F8000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
Source: 00000004.00000002.3980029463.00000000020F8000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_d4b38e13 reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = c91f97a7e609d8138f8c5c7dd66cf675b1b3762f26baa5bf983ee212011b99cb, id = d4b38e13-1439-4549-ba90-0b4a8ed57fb3, last_modified = 2022-04-12

Source: is-AVM6R.tmp.2.dr

Static PE information: Section: ZLIB complexity 0.9994049669600075

Source: is-8GFDD.tmp.2.dr

Binary string: \Device\Video0

Source: classification engine

Classification label: sus30.evad.winEXE@21/377@32/17

Source: is-MOFJV.tmp.2.dr

Initial sample: http://www.highmotionsoftware.com/products/imbatch

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE8105C GetLastError,FormatMessageW,

4_2_0EE8105C

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3D25A GetDiskFreeSpaceW,

4_2_0EE3D25A

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3D46E SizeofResource,

4_2_0EE3D46E

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

File created: C:\Program Files (x86)\ImBatch

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Mutant created: \Sessions\1\BaseNamedObjects\imbatch_update

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

File created: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp

Jump to behavior

Source: Yara match	File source: C:\Program Files (x86)\ImBatch\is-8GFDD.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ImBatch\is-GR2NP.tmp, type: DROPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Process created: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp "C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp" /SL5="$1040C,24100606,908800,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process created: C:\Program Files (x86)\ImBatch\ImBatch.exe "C:\Program Files (x86)\ImBatch\ImBatch.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.highmotionsoftware.com/products/imbatch/thankyou
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 --field-trial-handle=2436,i,14634067751005810082,15773404869222309641,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Process created: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp "C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp" /SL5="$1040C,24100606,908800,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process created: C:\Program Files (x86)\ImBatch\ImBatch.exe "C:\Program Files (x86)\ImBatch\ImBatch.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.highmotionsoftware.com/products/imbatch/thankyou	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 --field-trial-handle=2436,i,14634067751005810082,15773404869222309641,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: jpeg62.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: pspihost.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: directxtex.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: libheif.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: libde265.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: core_rl_wand_.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: core_rl_magickwand_.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wpdfview03.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wpdecodejp.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: ImBatch (32-bit).lnk.2.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ImBatch\ImBatch.exe
Source: Image Monitor (32-bit).lnk.2.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ImBatch\ImageMonitor.exe
Source: Context Menu Editor (32-bit).lnk.2.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ImBatch\ContextMenuEditor.exe
Source: Uninstall ImBatch (32-bit).lnk.2.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ImBatch\unins000.exe
Source: ImBatch (32-bit).lnk0.2.dr	LNK file: ..\..\..\Program Files (x86)\ImBatch\ImBatch.exe
Source: Google Drive.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Automated click: Next

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static file information: File size 25216120 > 1048576

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Develop\VisualStudio\DirectXTex\DirectXTex-master\DirectXTex\Bin\Desktop_2017\Win32\Release\DirectXTex.pdb source: ImBatch.exe, 00000004.00000002.4048877363.000000006E6A2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\Develop\VisualStudio\heif\Release\heif.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1668038621.000000000018C000.00000004.00000010.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4049911354.000000006EB0F000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: {D:\Develop\VisualStudio\DirectXTex\DirectXTex-master\DirectXTex\Bin\Desktop_2017\Win32\Release\DirectXTex.pdb source: ImBatch.exe, 00000004.00000002.4048877363.000000006E6A2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\Delphi Projects\ImBatchContextMenu\x64\Release\ImBatchContextMenuHandler-x64.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Delphi Projects\ImBatchContextMenu\Release\ImBatchContextMenuHandler.pdb! source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: YD:\Delphi Projects\ImBatchContextMenu\x64\Release\ImBatchContextMenuHandler-x64.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Develop\VisualStudio\webp\Output\Win32\Release\webp.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4048026498.000000006D4B1000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Delphi Projects\PhotoshopHost\pspiHost\Out\Win32\Release\pspiHost.pdb source: ImBatch.exe, 00000004.00000002.4040195438.000000006C5DA000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\Delphi Projects\ImBatchContextMenu\Release\ImBatchContextMenuHandler.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_102331ED LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_102331ED

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Static PE information: section name: .didata
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp.0.dr	Static PE information: section name: .didata
Source: is-3GFF4.tmp.2.dr	Static PE information: section name: .didata
Source: is-8GFDD.tmp.2.dr	Static PE information: section name: .didata
Source: is-GR2NP.tmp.2.dr	Static PE information: section name: .didata
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-FNB5F.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-LKQB2.tmp.2.dr	Static PE information: section name: .didata
Source: is-OHCKU.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-99KO6.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-HNP1I.tmp.2.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_058911C2 push 00000BADh; ret	4_2_058911CE
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0589CCAC push eax; ret	4_2_0589CD95
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE43E68 push ecx; mov dword ptr [esp], ecx	4_2_0EE43E6D
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EEE8CA4 push ecx; mov dword ptr [esp], edx	4_2_0EEE8CA8
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF3EC48 push 0EF3ECEAh; ret	4_2_0EF3ECE2
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFCEC3C push ecx; mov dword ptr [esp], edx	4_2_0EFCEC41
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE71DB0 push ecx; mov dword ptr [esp], ecx	4_2_0EE71DB3
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFCED40 push ecx; mov dword ptr [esp], edx	4_2_0EFCED45
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F095BC0 push 0F097BAAh; ret	4_2_0F097BA2
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE38BC8 push ecx; mov dword ptr [esp], eax	4_2_0EE38BC9
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFCD8E0 push ecx; mov dword ptr [esp], edx	4_2_0EFCD8E5
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE3B508 push 0EE3B577h; ret	4_2_0EE3B56F
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE6B374 push ecx; mov dword ptr [esp], edx	4_2_0EE6B376
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE351A4 push eax; ret	4_2_0EE351E0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F0A308C push 0F0A31C0h; ret	4_2_0F0A31B8
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1022914B push ecx; ret	4_2_1022915B
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100272C0 push E8511024h; ret	4_2_100272D9
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_102235B0 push eax; ret	4_2_102235C4
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_102235B0 push eax; ret	4_2_102235EC
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5CCE96 push ecx; ret	4_2_6C5CCEA9
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5C3960 push ecx; mov dword ptr [esp], 00000000h	4_2_6C5C7481
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C63AC76 push ecx; ret	4_2_6C63AC89

Source: is-AVM6R.tmp.2.dr

Static PE information: section name: entropy: 7.996801480815236

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\heif\heif.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-4IE2K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-Q6F2H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImBatchExtra.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-187E4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-LD7EM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-99KO6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImBatchFormats.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-LHMKI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-OHCKU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImBatchContextMenuHandler.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-3GFF4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImBatchOpenCV.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\webp\webp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-9K996.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\heif\is-A1M78.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\tbb.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Users\user\AppData\Local\Temp\is-AUHB1.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\jbig\jbiglib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-J21TG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\wp_type1ttf.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\potrace.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\jbig\is-9AH33.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-GR2NP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\imagemagick\imagemagick.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	File created: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-27TQD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\wPDFView03.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-7C04I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\imagemagick\is-1E3EV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-LKQB2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\jpeg62.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\libde265.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\pspiHost.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-FBACC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImBatch.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ContextMenuEditor.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-FNB5F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-C4JUH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-8GFDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-7HQ59.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\DirectXTex.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImageMonitor.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\webp\is-HNP1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ielib32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImBatchContextMenuHandler-X64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-00VUD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-UGCE9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\libheif.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-AVM6R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\zlib1.dll (copy)	Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software\ImBatch (32-bit)	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software\ImBatch (32-bit)\ImBatch (32-bit).lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software\ImBatch (32-bit)\Image Monitor (32-bit).lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software\ImBatch (32-bit)\Context Menu Editor (32-bit).lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software\ImBatch (32-bit)\ImBatch (32-bit) on the Web.url	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software\ImBatch (32-bit)\Uninstall ImBatch (32-bit).lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3DC66 IsIconic,

4_2_0EE3DC66

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_6C5CD5A7 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_6C5CD5A7

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ImBatch.exe, 00000004.00000002.3934986180.000000000054C000.00000020.00000001.01000000.00000007.sdmp, is-8GFDD.tmp.2.dr

Binary or memory string: SBIEDLL.DLL

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Special instruction interceptor: First address: 210D3BA instructions caused by: Self-modifying code

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Window / User API: threadDelayed 3893	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Window / User API: threadDelayed 2295	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Window / User API: threadDelayed 2509	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\heif\heif.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-Q6F2H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-4IE2K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ImBatchExtra.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-7C04I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-187E4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-LD7EM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\imagemagick\is-1E3EV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-99KO6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ImBatchFormats.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-LHMKI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-OHCKU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-LKQB2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ImBatchContextMenuHandler.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-3GFF4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ImBatchOpenCV.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-FBACC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ContextMenuEditor.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\webp\webp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-FNB5F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-C4JUH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-8GFDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-9K996.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-7HQ59.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\heif\is-A1M78.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\tbb.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ImageMonitor.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\jbig\jbiglib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-AUHB1.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ImBatchContextMenuHandler-X64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\webp\is-HNP1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ielib32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-J21TG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-00VUD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-UGCE9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\wp_type1ttf.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\potrace.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\jbig\is-9AH33.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\imagemagick\imagemagick.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-GR2NP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-27TQD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\zlib1.dll (copy)	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

API coverage: 3.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe TID: 7536	Thread sleep time: -77860s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe TID: 7556	Thread sleep time: -918000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe TID: 7556	Thread sleep time: -1003600s >= -30000s	Jump to behavior

Queries keyboard layouts

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Sleep loop found (likely to delay execution)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Thread sleep count: Count: 3893 delay: -20

Jump to behavior

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE3A3CC FindFirstFileW,FindClose,	4_2_0EE3A3CC
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE39E64 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	4_2_0EE39E64
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE44A84 FindFirstFileW,FindClose,	4_2_0EE44A84
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1023590A FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	4_2_1023590A
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1000D580 FindFirstFileA,FindFirstFileA,FindFirstFileA,	4_2_1000D580
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5D28DF FindFirstFileExW,	4_2_6C5D28DF
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5CD344 FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy,	4_2_6C5CD344

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3B08A GetSystemInfo,

4_2_0EE3B08A

Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: VMware
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: GetVirtualMachine
Source: is-8GFDD.tmp.2.dr	Binary or memory string: VMWare GSX
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B8C000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.3980972653.0000000002324000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: is-8GFDD.tmp.2.dr	Binary or memory string: VMWare ESX
Source: is-8GFDD.tmp.2.dr	Binary or memory string: VMWareU
Source: is-8GFDD.tmp.2.dr	Binary or memory string: vboxservice.exe
Source: is-8GFDD.tmp.2.dr	Binary or memory string: VMWare Express
Source: is-8GFDD.tmp.2.dr	Binary or memory string: VMWare Workstation

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3D3FE IsDebuggerPresent,

4_2_0EE3D3FE

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_102331ED LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_102331ED

Contains functionality to read the PEB

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5D24EB mov eax, dword ptr fs:[00000030h]		4_2_6C5D24EB
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5D0CA3 mov eax, dword ptr fs:[00000030h]		4_2_6C5D0CA3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_058911CF GetProcessHeap,HeapAlloc,

4_2_058911CF

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5CCCC9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C5CCCC9
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5D0504 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C5D0504
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5CC6B7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6C5CC6B7

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.highmotionsoftware.com/products/imbatch/thankyou

Jump to behavior

Source: is-8GFDD.tmp.2.dr

Binary or memory string: Shell_TrayWndTrayNotifyWndU

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_6C5CCEAB cpuid

4_2_6C5CCEAB

Contains functionality to query locales information (e.g. system language)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	4_2_0EE3A4B4
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0EE399FC
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: GetLocaleInfoW,	4_2_0EE3D28A
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,	4_2_1022BAFA
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: _strlen,EnumSystemLocalesA,	4_2_1022BAC3
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: _strlen,EnumSystemLocalesA,	4_2_1022BB80
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,	4_2_1022BBD5

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0589B5FC GetLocalTime,wsprintfA,

4_2_0589B5FC

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_058910CD GetVersion,

4_2_058910CD

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	www.google.com	United States	15169	GOOGLEUS	false
13.32.27.32	d322cqt584bo4o.cloudfront.net	United States	7018	ATT-INTERNET4US	false
104.193.111.117	bolidesoft.com	United States	63410	PRIVATESYSTEMSUS	false
157.240.26.27	scontent-msp1-1.xx.fbcdn.net	United States	32934	FACEBOOKUS	false
104.16.79.73	static.cloudflareinsights.com	United States	13335	CLOUDFLARENETUS	false
172.67.164.223	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.11.4	www.highmotionsoftware.com	United States	13335	CLOUDFLARENETUS	false
142.250.186.78	ytimg.l.google.com	United States	15169	GOOGLEUS	false
216.58.206.46	unknown	United States	15169	GOOGLEUS	false
157.240.251.9	scontent.xx.fbcdn.net	United States	32934	FACEBOOKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
157.240.253.35	unknown	United States	32934	FACEBOOKUS	false
157.240.251.35	star-mini.c10r.facebook.com	United States	32934	FACEBOOKUS	false

Private

IP
192.168.2.8
192.168.2.9
192.168.2.6
192.168.2.5

Contacted Domains

Name	IP	Active
bolidesoft.com	104.193.111.117	true
star-mini.c10r.facebook.com	157.240.251.35	true
scontent.xx.fbcdn.net	157.240.251.9	true
static.cloudflareinsights.com	104.16.79.73	true
d322cqt584bo4o.cloudfront.net	13.32.27.32	true
www.google.com	142.250.186.68	true
www.highmotionsoftware.com	104.21.11.4	true
scontent-msp1-1.xx.fbcdn.net	157.240.26.27	true
ytimg.l.google.com	142.250.186.78	true
img.youtube.com	unknown	unknown
www.facebook.com	unknown	unknown
www.bolidesoft.com	unknown	unknown
badges.crowdin.net	unknown	unknown
static.xx.fbcdn.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015	false	URL Reputation: safe	unknown
https://www.highmotionsoftware.com/sites/all/modules/languageicons/flags/ru.png	false		unknown
https://static.xx.fbcdn.net/rsrc.php/v3/yK/l/0,cross/O0Uz2Q0jyKe.css	false		unknown
https://www.highmotionsoftware.com/sites/all/themes/freshmade/img/content-wrapper.gif	false		unknown
https://static.xx.fbcdn.net/rsrc.php/v3/yR/r/PNStWZQ9T-1.js	false		unknown
https://www.highmotionsoftware.com/sites/all/modules/languageicons/flags/en.png	false		unknown
https://www.highmotionsoftware.com/modules/system/system.theme.css?s7978o	false		unknown
https://www.highmotionsoftware.com/modules/system/system.menus.css?s7978o	false		unknown
https://www.bolidesoft.com/a/banner/check.php?pid=110&b=762&l=0&f=n&ab=%3CClick%20to%20set%20your%20name%20here%3E&c=91DA9E9C&cid={DC960FFD-14A7-48B7-83D1-6FA0A6445A05}&rc=1&nocache=148	false		unknown
https://img.youtube.com/vi/m4a7nHpFuzw/0.jpg	false		unknown
https://www.highmotionsoftware.com/sites/all/libraries/superfish/images/arrows-ffffff.png	false		unknown
https://static.xx.fbcdn.net/rsrc.php/v3/yF/r/p55HfXW__mM.js	false		unknown
https://www.highmotionsoftware.com/cdn-cgi/rum?	false		unknown
https://static.xx.fbcdn.net/rsrc.php/v3/yw/r/UXtr_j2Fwe-.png	false		unknown
https://www.highmotionsoftware.com/sites/default/files/favicon.ico	false		unknown
https://www.highmotionsoftware.com/modules/locale/locale.css?s7978o	false		unknown
https://www.highmotionsoftware.com/sites/all/modules/ctools/css/ctools.css?s7978o	false		unknown
https://www.highmotionsoftware.com/misc/jquery-html-prefilter-3.5.0-backport.js?v=1.4.4	false		unknown
https://www.highmotionsoftware.com/misc/jquery.once.js?v=1.2	false		unknown
https://www.highmotionsoftware.com/upd/imbatch/url	false		unknown
https://static.xx.fbcdn.net/rsrc.php/v3issO4/yc/l/en_US/YYUppJnv9Es.js	false		unknown
https://static.xx.fbcdn.net/rsrc.php/v3/yw/r/u5OMVLVnVwH.js	false		unknown
https://static.xx.fbcdn.net/rsrc.php/v3/y3/r/Vvet8_5H-wT.js	false		unknown
https://www.bolidesoft.com:443/bc/put.php?v=1&pid=110&w=cd&cid={DC960FFD-14A7-48B7-83D1-6FA0A6445A05}&h=1a5f27020f5d05939025c0cc7616f480	false		unknown
https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978o	false		unknown
https://www.highmotionsoftware.com/sites/all/libraries/superfish/style/coffee.css?s7978o	false		unknown
https://www.highmotionsoftware.com/sites/all/themes/freshmade/img/footer-wrapper.gif	false		unknown
https://www.highmotionsoftware.com/sites/all/libraries/superfish/superfish.js?s7978o	false		unknown
https://www.highmotionsoftware.com/modules/system/system.base.css?s7978o	false		unknown
https://www.highmotionsoftware.com/upd/imbatch/version	false		unknown
https://www.highmotionsoftware.com/sites/all/themes/freshmade/img/navigation-wrapper-2.gif	false		unknown
https://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FImBatch&width=550&height=290&show_faces=true&colorscheme=light&stream=false&border_color&header=true&appId=254901247880888	false		unknown
https://www.highmotionsoftware.com/modules/user/user.css?s7978o	false		unknown
https://www.highmotionsoftware.com/modules/system/system.messages.css?s7978o	false		unknown
https://www.facebook.com/ajax/bz?__a=1&__ccg=GOOD&__dyn=7wKxa13wt8K2Wmh0Sw8W5U4e0yoW1DwfG1-wd-4o3Bw5VCwjE3awbG0MU2aw7Bx61vw5zw78w5Uw64w8W1uwc-0pa0h-0Lo6-0uS0ue0QU&__hs=20003.BP%3Aplugin_default_pkg.2.0..0.0&__hsi=7423167547787923565&__req=1&__rev=1017120959&__s=%3A%3Akwak1i&__sp=1&__user=0&dpr=1&jazoest=21864&lsd=zEMCM_Ae440ReJt2zgxGVr	false		unknown
https://www.highmotionsoftware.com/sites/all/libraries/superfish/css/superfish.css?s7978o	false		unknown
https://www.highmotionsoftware.com/modules/field/theme/field.css?s7978o	false		unknown
https://img.youtube.com/vi/gMkjyUNksR4/0.jpg	false		unknown
https://scontent-msp1-1.xx.fbcdn.net/v/t39.30808-1/305658665_411128564497493_3948090867100769521_n.jpg?stp=cp0_dst-jpg_s50x50&_nc_cat=110&ccb=1-7&_nc_sid=6738e8&_nc_ohc=ILFttH4rPpYQ7kNvgEXQC67&_nc_ht=scontent-msp1-1.xx&edm=AEDRbFQEAAAA&_nc_gid=A4syIzp1y9Bx-a7cihdwta0&oh=00_AYA9WCkZOMo01cK7VhGgG8y9efecxW6MGJWI6xwYX39svg&oe=670A2166	false		unknown
https://www.highmotionsoftware.com/sites/all/libraries/superfish/supersubs.js?s7978o	false		unknown

Form action URLs do not match main URL

Source: https://www.highmotionsoftware.com/products/imbatch/thankyou

HTTP Parser: Form action: https://www.bolidesoft.com/ssendy/subscribe highmotionsoftware bolidesoft

HTML page contains hidden javascript code

Source: https://www.highmotionsoftware.com/products/imbatch/thankyou

HTTP Parser: Base64 decoded: RS}r*dq?W

Source: https://www.highmotionsoftware.com/products/imbatch/thankyou

HTTP Parser: No favicon

Source: https://www.highmotionsoftware.com/products/imbatch/thankyou

HTTP Parser: No <meta name="author".. found

Source: https://www.highmotionsoftware.com/products/imbatch/thankyou

HTTP Parser: No <meta name="copyright".. found

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49713 version: TLS 1.0

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.164.223:443 -> 192.168.2.8:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.193.111.117:443 -> 192.168.2.8:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49885 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Develop\VisualStudio\DirectXTex\DirectXTex-master\DirectXTex\Bin\Desktop_2017\Win32\Release\DirectXTex.pdb source: ImBatch.exe, 00000004.00000002.4048877363.000000006E6A2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\Develop\VisualStudio\heif\Release\heif.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1668038621.000000000018C000.00000004.00000010.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4049911354.000000006EB0F000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: {D:\Develop\VisualStudio\DirectXTex\DirectXTex-master\DirectXTex\Bin\Desktop_2017\Win32\Release\DirectXTex.pdb source: ImBatch.exe, 00000004.00000002.4048877363.000000006E6A2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\Delphi Projects\ImBatchContextMenu\x64\Release\ImBatchContextMenuHandler-x64.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Delphi Projects\ImBatchContextMenu\Release\ImBatchContextMenuHandler.pdb! source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: YD:\Delphi Projects\ImBatchContextMenu\x64\Release\ImBatchContextMenuHandler-x64.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Develop\VisualStudio\webp\Output\Win32\Release\webp.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4048026498.000000006D4B1000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Delphi Projects\PhotoshopHost\pspiHost\Out\Win32\Release\pspiHost.pdb source: ImBatch.exe, 00000004.00000002.4040195438.000000006C5DA000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\Delphi Projects\ImBatchContextMenu\Release\ImBatchContextMenuHandler.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE3A3CC FindFirstFileW,FindClose,	4_2_0EE3A3CC
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE39E64 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	4_2_0EE39E64
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE44A84 FindFirstFileW,FindClose,	4_2_0EE44A84
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1023590A FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	4_2_1023590A
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1000D580 FindFirstFileA,FindFirstFileA,FindFirstFileA,	4_2_1000D580
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5D28DF FindFirstFileExW,	4_2_6C5D28DF
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5CD344 FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy,	4_2_6C5CD344

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4x nop then mov eax, 00002018h

4_2_1000475A

HTTP GET or POST without a user agent

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.16.79.73 104.16.79.73
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49787 -> 172.67.164.223:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49782 -> 172.67.164.223:443

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49713 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.74
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.74
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.74

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cL3SfTB3m4YLydf&MD=8HgmYluO HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /products/imbatch/thankyou HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /vi/m4a7nHpFuzw/0.jpg HTTP/1.1Host: img.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIk6HLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /imbatch/localized.svg HTTP/1.1Host: badges.crowdin.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/system/system.base.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/system/system.menus.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/system/system.messages.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/system/system.theme.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/comment/comment.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/field/theme/field.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /vi/gMkjyUNksR4/0.jpg HTTP/1.1Host: img.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIk6HLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /vi/vx4aQB92rWE/0.jpg HTTP/1.1Host: img.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIk6HLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/node/node.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/search/search.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/user/user.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/ctools/css/ctools.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /modules/locale/locale.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/css/superfish.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /vi/vx4aQB92rWE/0.jpg HTTP/1.1Host: img.youtube.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIk6HLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/style/coffee.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/style.css?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery.js?v=1.4.4 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery-extend-3.4.0.js?v=1.4.4 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery-html-prefilter-3.5.0-backport.js?v=1.4.4 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery.once.js?v=1.2 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/drupal.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery-extend-3.4.0.js?v=1.4.4 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/jquery.hoverIntent.minified.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/superfish.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/supersubs.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery-html-prefilter-3.5.0-backport.js?v=1.4.4 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery.once.js?v=1.2 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /upd/imbatch/version HTTP/1.1User-Agent: ImBatchUpdaterHost: www.highmotionsoftware.com
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/superfish/superfish.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/jquery.js?v=1.4.4 HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /a/banner/check.php?pid=110&b=762&l=0&f=n&ab=%3CClick%20to%20set%20your%20name%20here%3E&c=91DA9E9C&cid={DC960FFD-14A7-48B7-83D1-6FA0A6445A05}&rc=1&nocache=148 HTTP/1.1User-Agent: ImBatchHost: www.bolidesoft.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /upd/imbatch/url HTTP/1.1User-Agent: ImBatchUpdaterHost: www.highmotionsoftware.com
Source: global traffic	HTTP traffic detected: GET /beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015 HTTP/1.1Host: static.cloudflareinsights.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.highmotionsoftware.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.highmotionsoftware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2FImBatch&width=550&height=290&show_faces=true&colorscheme=light&stream=false&border_color&header=true&appId=254901247880888 HTTP/1.1Host: www.facebook.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.highmotionsoftware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/content-wrapper.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/navigation-wrapper-2.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/images/arrows-ffffff.png HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/libraries/superfish/css/superfish.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/languageicons/flags/ru.png HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/languageicons/flags/en.png HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/header.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/jquery.hoverIntent.minified.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /misc/drupal.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/superfish.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/supersubs.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/superfish/superfish.js?s7978o HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015 HTTP/1.1Host: static.cloudflareinsights.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yK/l/0,cross/O0Uz2Q0jyKe.css HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yw/r/u5OMVLVnVwH.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/y3/r/Vvet8_5H-wT.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3issO4/yc/l/en_US/YYUppJnv9Es.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3i7M54/yL/l/en_US/xKY8pb0-fD_.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v/t39.30808-6/303280254_411128561164160_6605626465690304584_n.jpg?stp=dst-jpg_s526x395&_nc_cat=106&ccb=1-7&_nc_sid=4cb600&_nc_ohc=1I2yrbFI2LYQ7kNvgEsGWmR&_nc_ht=scontent-msp1-1.xx&edm=AEDRbFQEAAAA&_nc_gid=A4syIzp1y9Bx-a7cihdwta0&oh=00_AYCdJGOufY8qZigevwZ9U0PHjEqRvLbmQ_sPWeanTh1Z5w&oe=670A27D3 HTTP/1.1Host: scontent-msp1-1.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yV/r/fZu5tZNIUeX.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/header-wrapper-2.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/help.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/navigation.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/footer-wrapper.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/sites/all/themes/freshmade/style.css?s7978oAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/languageicons/flags/ru.png HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /sites/all/modules/languageicons/flags/en.png HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/content-wrapper.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/navigation-wrapper-2.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /sites/all/libraries/superfish/images/arrows-ffffff.png HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/header.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878
Source: global traffic	HTTP traffic detected: GET /v/t39.30808-6/303280254_411128561164160_6605626465690304584_n.jpg?stp=dst-jpg_s526x395&_nc_cat=106&ccb=1-7&_nc_sid=4cb600&_nc_ohc=1I2yrbFI2LYQ7kNvgEsGWmR&_nc_ht=scontent-msp1-1.xx&edm=AEDRbFQEAAAA&_nc_gid=A4syIzp1y9Bx-a7cihdwta0&oh=00_AYCdJGOufY8qZigevwZ9U0PHjEqRvLbmQ_sPWeanTh1Z5w&oe=670A27D3 HTTP/1.1Host: scontent-msp1-1.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yF/r/p55HfXW__mM.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/y3/r/Vvet8_5H-wT.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v/t39.30808-1/305658665_411128564497493_3948090867100769521_n.jpg?stp=cp0_dst-jpg_s50x50&_nc_cat=110&ccb=1-7&_nc_sid=6738e8&_nc_ohc=ILFttH4rPpYQ7kNvgEXQC67&_nc_ht=scontent-msp1-1.xx&edm=AEDRbFQEAAAA&_nc_gid=A4syIzp1y9Bx-a7cihdwta0&oh=00_AYA9WCkZOMo01cK7VhGgG8y9efecxW6MGJWI6xwYX39svg&oe=670A2166 HTTP/1.1Host: scontent-msp1-1.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3issO4/yc/l/en_US/YYUppJnv9Es.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yV/r/fZu5tZNIUeX.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3i7M54/yL/l/en_US/xKY8pb0-fD_.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yw/r/u5OMVLVnVwH.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yF/r/p55HfXW__mM.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yw/r/UXtr_j2Fwe-.png HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://static.xx.fbcdn.net/rsrc.php/v3/yK/l/0,cross/O0Uz2Q0jyKe.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/help.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878; _ga=GA1.1.2068184034.1728340878; _ga_DM0MT881VN=GS1.1.1728340877.1.0.1728340878.0.0.0
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/footer-wrapper.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878; _ga=GA1.1.2068184034.1728340878; _ga_DM0MT881VN=GS1.1.1728340877.1.0.1728340878.0.0.0
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/header-wrapper-2.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878; _ga=GA1.1.2068184034.1728340878; _ga_DM0MT881VN=GS1.1.1728340877.1.0.1728340878.0.0.0
Source: global traffic	HTTP traffic detected: GET /sites/all/themes/freshmade/img/navigation.gif HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878; _ga=GA1.1.2068184034.1728340878; _ga_DM0MT881VN=GS1.1.1728340877.1.0.1728340878.0.0.0
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yR/r/PNStWZQ9T-1.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://www.facebook.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://www.facebook.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /v/t39.30808-1/305658665_411128564497493_3948090867100769521_n.jpg?stp=cp0_dst-jpg_s50x50&_nc_cat=110&ccb=1-7&_nc_sid=6738e8&_nc_ohc=ILFttH4rPpYQ7kNvgEXQC67&_nc_ht=scontent-msp1-1.xx&edm=AEDRbFQEAAAA&_nc_gid=A4syIzp1y9Bx-a7cihdwta0&oh=00_AYA9WCkZOMo01cK7VhGgG8y9efecxW6MGJWI6xwYX39svg&oe=670A2166 HTTP/1.1Host: scontent-msp1-1.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yw/r/UXtr_j2Fwe-.png HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rsrc.php/v3/yR/r/PNStWZQ9T-1.js HTTP/1.1Host: static.xx.fbcdn.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sites/default/files/favicon.ico HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.highmotionsoftware.com/products/imbatch/thankyouAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878; _ga=GA1.1.2068184034.1728340878; _ga_DM0MT881VN=GS1.1.1728340877.1.0.1728340878.0.0.0
Source: global traffic	HTTP traffic detected: GET /sites/default/files/favicon.ico HTTP/1.1Host: www.highmotionsoftware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __utma=1.319632712.1728340878.1728340878.1728340878.1; __utmc=1; __utmz=1.1728340878.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); __utmt=1; __utmb=1.1.10.1728340878; _ga=GA1.1.2068184034.1728340878; _ga_DM0MT881VN=GS1.1.1728340877.1.0.1728340878.0.0.0
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cL3SfTB3m4YLydf&MD=8HgmYluO HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /ajax/bz?__a=1&__ccg=GOOD&__dyn=7wKxa13wt8K2Wmh0Sw8W5U4e0yoW1DwfG1-wd-4o3Bw5VCwjE3awbG0MU2aw7Bx61vw5zw78w5Uw64w8W1uwc-0pa0h-0Lo6-0uS0ue0QU&__hs=20003.BP%3Aplugin_default_pkg.2.0..0.0&__hsi=7423167547787923565&__req=1&__rev=1017120959&__s=%3A%3Akwak1i&__sp=1&__user=0&dpr=1&jazoest=21864&lsd=zEMCM_Ae440ReJt2zgxGVr HTTP/1.1Host: www.facebook.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: &redirect_uri=fhttps://www.facebook.com/connect/login_success.html equals www.facebook.com (Facebook)
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: 3https://www.facebook.com/connect/login_success.html equals www.facebook.com (Facebook)
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: Vhttps://www.facebook.com/v3.2/dialog/oauth? equals www.facebook.com (Facebook)
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.facebook.com/ImBatchU equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: www.highmotionsoftware.com
Source: global traffic	DNS traffic detected: DNS query: badges.crowdin.net
Source: global traffic	DNS traffic detected: DNS query: img.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: www.bolidesoft.com
Source: global traffic	DNS traffic detected: DNS query: static.cloudflareinsights.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: static.xx.fbcdn.net
Source: global traffic	DNS traffic detected: DNS query: scontent-msp1-1.xx.fbcdn.net

Source: unknown

Source: ImBatch.exe, 00000004.00000002.4032469753.0000000010268000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: ftp://swrinde.nde.swri.edu/pub/mng/documents/.See
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000517C000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010319000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://headhtml%.20s%ddefault%d%.20s
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000517C000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010319000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://medical.nema.org/.
Source: ImBatch.exe, 00000004.00000002.3956213744.0000000002006000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://umich.edu/~shameem)
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.HighMotionSoftware.com/
Source: ImBatch.exe, ImBatch.exe, 00000004.00000002.4017725427.000000000EE31000.00000020.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1444075146.0000000002580000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1682173621.0000000002207000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1450311174.0000000003510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp, is-8GFDD.tmp.2.dr	String found in binary or memory: http://www.eurekalog.com/help/eurekalog/internal_errors.phpEurekaLog
Source: chromecache_296.9.dr	String found in binary or memory: http://www.google-analytics.com
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.highmotionsoftware.com/products/imbatch)
Source: ImBatch.exe, 00000004.00000002.4032469753.0000000010237000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.imagemagick.org
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.imagemagick.org/script/license.php
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.imagemagick.org/www/Notice.html.
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010237000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.imagemagick.org=h#
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010237000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.imagemagick.orgindex.htmlQ16ImageMagick
Source: ImBatch.exe, 00000004.00000002.3954183742.00000000010AE000.00000020.00000001.01000000.00000007.sdmp, ImBatch.exe, 00000004.00000002.4004426872.00000000051EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: ImBatch.exe, 00000004.00000002.4032469753.0000000010268000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.libpng.org/
Source: ImBatch.exe, 00000004.00000002.4032469753.0000000010268000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.libpng.org/pub/mng/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000517C000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010319000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.smtpe.org
Source: ImBatch.exe, 00000004.00000002.4032469753.0000000010319000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.wvware.com/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000517C000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010319000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.wvware.com/c:
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000517C000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4032469753.0000000010319000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.wvware.com/libwmf:
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://crowdin.com/project/imbatchU
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B8C000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsggc:86:0
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B8C000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascnsrsggc:86:0
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://icons8.ru/
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://imagemagick.org/script/download.php#windowsopen
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: chromecache_296.9.dr	String found in binary or memory: https://ssl.google-analytics.com
Source: chromecache_296.9.dr	String found in binary or memory: https://ssl.google-analytics.com/j/__utm.gif
Source: chromecache_296.9.dr	String found in binary or memory: https://stats.g.doubleclick.net/j/collect?
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.HighMotionSoftware.com)
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1682173621.000000000231C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.HighMotionSoftware.com/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1450311174.0000000003510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.HighMotionSoftware.com/$not
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1682173621.000000000231C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.HighMotionSoftware.com/)
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1444075146.0000000002580000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1450311174.0000000003510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.HighMotionSoftware.com/Fhttps://www.HighMotionSoftware.com/Fhttps://www.HighMotionSoftwa
Source: ImBatch.exe, 00000004.00000002.4039335647.00000000151FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bolidesoft.com/
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.bolidesoft.com/a/activate/activate.php?pid=110&kid=112&hw=
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.bolidesoft.com/a/banner/check.php?pid=110&b=
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bolidesoft.com/a/banner/check.php?pid=110&b=762&l=0&f=n&ab=%3CClick%20to%20set%20your%20
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.bolidesoft.com/bc/put.php?v=1&pid=
Source: ImBatch.exe, 00000004.00000002.3980972653.0000000002324000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bolidesoft.com/bc/put.php?v=1&pid=110&w=cd&cid=
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.google-analytics.com/g/collect?v=2&tid=
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B3B000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007B6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/g/collect?v=2&tid=G-66RSDWSDJF&cid=%7BDC960FFD-14A7-48B7-83D1-6FA0A
Source: chromecache_296.9.dr	String found in binary or memory: https://www.google.%/ads/ga-audiences?
Source: chromecache_296.9.dr	String found in binary or memory: https://www.google.com/analytics/web/inpage/pub/inpage.js?
Source: ImBatch.exe, 00000004.00000002.4039335647.00000000151FE000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/SP.dll1
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/XK=h%
Source: ImBatch.exe, 00000004.00000002.4035000015.0000000014674000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4039335647.00000000151E8000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4027221865.000000000F99D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/download-center/imbatch
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/help/imbatch/filter_taskU
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/imb_order.php?LangID=
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/ll
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/lucent
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1625867605.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1626988732.0000000003D6E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1678242586.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1450311174.0000000003510000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1626988732.0000000003D4D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyou
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1653547838.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1625867605.00000000009A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyou$
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1653547838.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1625867605.00000000009A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyou3
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1670201560.0000000000918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyou5
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616286651.00000000007D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyouC:
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1678242586.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyouP
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1678242586.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyouW
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1653547838.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1625867605.00000000009A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyoues
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1653547838.00000000009A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1625867605.00000000009A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyougx
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1678242586.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyoul
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1678242586.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyous
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1678242586.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/thankyouu
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1450311174.0000000003510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/products/imbatch/uninstall
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1444075146.0000000002580000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1682173621.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1642823671.0000000002497000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1626988732.0000000003D2A000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1626988732.0000000003D6E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1450311174.0000000003510000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1626988732.0000000003D4D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/ru/products/imbatch/thankyou
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B3B000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp, ImBatch.exe, 00000004.00000002.4007089513.0000000005630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/url
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/urlU
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007B6E000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4039335647.00000000151E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/version
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/versionR
Source: ImBatch.exe, 00000004.00000002.4037746737.0000000014E08000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/versiona
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.highmotionsoftware.com/upd/imbatch/versionpp
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1446570727.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1445813136.00000000026C0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000000.1448131608.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1446570727.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1445813136.00000000026C0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000000.1448131608.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.164.223:443 -> 192.168.2.8:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.193.111.117:443 -> 192.168.2.8:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.8:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.8:49885 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3DCFE OpenClipboard,

4_2_0EE3DCFE

Contains functionality to modify clipboard data

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3DDC2 SetClipboardData,

4_2_0EE3DDC2

Contains functionality to read the clipboard data

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3DAA6 GetClipboardData,

4_2_0EE3DAA6

Contains functionality to record screenshots

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

4_2_0EE85770

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3DB16 GetKeyboardState,

4_2_0EE3DB16

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.3980690776.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
Source: 00000004.00000002.3980029463.00000000020F8000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
Source: 00000004.00000002.3980029463.00000000020F8000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_d4b38e13 Author: unknown

PE file has nameless sections

Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:

Abnormal high CPU Usage

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Memory allocated: 769B0000 page read and write	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Memory allocated: 756F0000 page read and write	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Memory allocated: 775A0000 page read and write	Jump to behavior

Detected potential crypto function

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_058939D4	4_2_058939D4
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_05896390	4_2_05896390
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_05891E64	4_2_05891E64
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F018C5C	4_2_0F018C5C
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F0111B8	4_2_0F0111B8
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFCFFA0	4_2_0EFCFFA0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF1EF88	4_2_0EF1EF88
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFFBF60	4_2_0EFFBF60
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F089EE0	4_2_0F089EE0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF22F0C	4_2_0EF22F0C
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE38CB4	4_2_0EE38CB4
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F069D78	4_2_0F069D78
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F06BC30	4_2_0F06BC30
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F030C70	4_2_0F030C70
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F095BC0	4_2_0F095BC0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF23650	4_2_0EF23650
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE33704	4_2_0EE33704
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFDC404	4_2_0EFDC404
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF242E8	4_2_0EF242E8
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE8B298	4_2_0EE8B298
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE8A25C	4_2_0EE8A25C
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF243D4	4_2_0EF243D4
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF2339C	4_2_0EF2339C
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFCC380	4_2_0EFCC380
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F0011AC	4_2_0F0011AC
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F06B05C	4_2_0F06B05C
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100299B0	4_2_100299B0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1001B1C0	4_2_1001B1C0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_102301E9	4_2_102301E9
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100ECA60	4_2_100ECA60
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10019A80	4_2_10019A80
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100292D4	4_2_100292D4
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100292F3	4_2_100292F3
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10228B35	4_2_10228B35
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10021B20	4_2_10021B20
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1004D380	4_2_1004D380
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1006ABB0	4_2_1006ABB0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100184F0	4_2_100184F0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10020510	4_2_10020510
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10017570	4_2_10017570
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100EC590	4_2_100EC590
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10058E50	4_2_10058E50
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10054EC0	4_2_10054EC0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10016730	4_2_10016730
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_10051FB0	4_2_10051FB0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5D4DDB	4_2_6C5D4DDB
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5CD5A7	4_2_6C5CD5A7
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5C3050	4_2_6C5C3050
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5C5240	4_2_6C5C5240
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5FC4C0	4_2_6C5FC4C0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C62A4C0	4_2_6C62A4C0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5FBCE0	4_2_6C5FBCE0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C618CB0	4_2_6C618CB0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_05894090	4_2_05894090
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_05894E5C	4_2_05894E5C

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 102247E9 appears 65 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10001A60 appears 99 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 102235B0 appears 66 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10005640 appears 79 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10004E10 appears 83 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10001B20 appears 151 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10229110 appears 38 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 0EE690D4 appears 56 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 6C5CCE50 appears 33 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 0EE353D8 appears 56 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10004A10 appears 278 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 0589B59C appears 70 times
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: String function: 10007FA0 appears 196 times

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-3GFF4.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-AVM6R.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: is-AVM6R.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

PE file contains more sections than normal

Source: is-GR2NP.tmp.2.dr	Static PE information: Number of sections : 11 > 10
Source: is-8GFDD.tmp.2.dr	Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1445813136.00000000029A9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000000.1443528355.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1446570727.000000007FE15000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe, 00000000.00000003.1682173621.00000000022E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 00000004.00000002.3980690776.00000000022C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
Source: 00000004.00000002.3980029463.00000000020F8000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
Source: 00000004.00000002.3980029463.00000000020F8000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_d4b38e13 reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = c91f97a7e609d8138f8c5c7dd66cf675b1b3762f26baa5bf983ee212011b99cb, id = d4b38e13-1439-4549-ba90-0b4a8ed57fb3, last_modified = 2022-04-12

Source: is-AVM6R.tmp.2.dr

Static PE information: Section: ZLIB complexity 0.9994049669600075

Source: is-8GFDD.tmp.2.dr

Binary string: \Device\Video0

Source: classification engine

Classification label: sus30.evad.winEXE@21/377@32/17

Source: is-MOFJV.tmp.2.dr

Initial sample: http://www.highmotionsoftware.com/products/imbatch

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE8105C GetLastError,FormatMessageW,

4_2_0EE8105C

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3D25A GetDiskFreeSpaceW,

4_2_0EE3D25A

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3D46E SizeofResource,

4_2_0EE3D46E

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

File created: C:\Program Files (x86)\ImBatch

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Mutant created: \Sessions\1\BaseNamedObjects\imbatch_update

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

File created: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp

Jump to behavior

Source: Yara match	File source: C:\Program Files (x86)\ImBatch\is-8GFDD.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ImBatch\is-GR2NP.tmp, type: DROPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Process created: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp "C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp" /SL5="$1040C,24100606,908800,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process created: C:\Program Files (x86)\ImBatch\ImBatch.exe "C:\Program Files (x86)\ImBatch\ImBatch.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.highmotionsoftware.com/products/imbatch/thankyou
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 --field-trial-handle=2436,i,14634067751005810082,15773404869222309641,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Process created: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp "C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp" /SL5="$1040C,24100606,908800,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process created: C:\Program Files (x86)\ImBatch\ImBatch.exe "C:\Program Files (x86)\ImBatch\ImBatch.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.highmotionsoftware.com/products/imbatch/thankyou	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 --field-trial-handle=2436,i,14634067751005810082,15773404869222309641,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: jpeg62.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: pspihost.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: directxtex.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: libheif.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: libde265.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: core_rl_wand_.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: core_rl_magickwand_.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wpdfview03.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wpdecodejp.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: ImBatch (32-bit).lnk.2.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ImBatch\ImBatch.exe
Source: Image Monitor (32-bit).lnk.2.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ImBatch\ImageMonitor.exe
Source: Context Menu Editor (32-bit).lnk.2.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ImBatch\ContextMenuEditor.exe
Source: Uninstall ImBatch (32-bit).lnk.2.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ImBatch\unins000.exe
Source: ImBatch (32-bit).lnk0.2.dr	LNK file: ..\..\..\Program Files (x86)\ImBatch\ImBatch.exe
Source: Google Drive.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Automated click: Next

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static file information: File size 25216120 > 1048576

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Develop\VisualStudio\DirectXTex\DirectXTex-master\DirectXTex\Bin\Desktop_2017\Win32\Release\DirectXTex.pdb source: ImBatch.exe, 00000004.00000002.4048877363.000000006E6A2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\Develop\VisualStudio\heif\Release\heif.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000002.1668038621.000000000018C000.00000004.00000010.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4049911354.000000006EB0F000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: {D:\Develop\VisualStudio\DirectXTex\DirectXTex-master\DirectXTex\Bin\Desktop_2017\Win32\Release\DirectXTex.pdb source: ImBatch.exe, 00000004.00000002.4048877363.000000006E6A2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\Delphi Projects\ImBatchContextMenu\x64\Release\ImBatchContextMenuHandler-x64.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Delphi Projects\ImBatchContextMenu\Release\ImBatchContextMenuHandler.pdb! source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: YD:\Delphi Projects\ImBatchContextMenu\x64\Release\ImBatchContextMenuHandler-x64.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Develop\VisualStudio\webp\Output\Win32\Release\webp.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.4048026498.000000006D4B1000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Delphi Projects\PhotoshopHost\pspiHost\Out\Win32\Release\pspiHost.pdb source: ImBatch.exe, 00000004.00000002.4040195438.000000006C5DA000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\Delphi Projects\ImBatchContextMenu\Release\ImBatchContextMenuHandler.pdb source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp, 00000002.00000003.1616459416.000000000521F000.00000004.00001000.00020000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_102331ED LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_102331ED

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Static PE information: section name: .didata
Source: SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp.0.dr	Static PE information: section name: .didata
Source: is-3GFF4.tmp.2.dr	Static PE information: section name: .didata
Source: is-8GFDD.tmp.2.dr	Static PE information: section name: .didata
Source: is-GR2NP.tmp.2.dr	Static PE information: section name: .didata
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-AVM6R.tmp.2.dr	Static PE information: section name:
Source: is-FNB5F.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-LKQB2.tmp.2.dr	Static PE information: section name: .didata
Source: is-OHCKU.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-99KO6.tmp.2.dr	Static PE information: section name: _RDATA
Source: is-HNP1I.tmp.2.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_058911C2 push 00000BADh; ret	4_2_058911CE
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0589CCAC push eax; ret	4_2_0589CD95
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE43E68 push ecx; mov dword ptr [esp], ecx	4_2_0EE43E6D
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EEE8CA4 push ecx; mov dword ptr [esp], edx	4_2_0EEE8CA8
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EF3EC48 push 0EF3ECEAh; ret	4_2_0EF3ECE2
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFCEC3C push ecx; mov dword ptr [esp], edx	4_2_0EFCEC41
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE71DB0 push ecx; mov dword ptr [esp], ecx	4_2_0EE71DB3
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFCED40 push ecx; mov dword ptr [esp], edx	4_2_0EFCED45
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F095BC0 push 0F097BAAh; ret	4_2_0F097BA2
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE38BC8 push ecx; mov dword ptr [esp], eax	4_2_0EE38BC9
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EFCD8E0 push ecx; mov dword ptr [esp], edx	4_2_0EFCD8E5
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE3B508 push 0EE3B577h; ret	4_2_0EE3B56F
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE6B374 push ecx; mov dword ptr [esp], edx	4_2_0EE6B376
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE351A4 push eax; ret	4_2_0EE351E0
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0F0A308C push 0F0A31C0h; ret	4_2_0F0A31B8
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1022914B push ecx; ret	4_2_1022915B
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_100272C0 push E8511024h; ret	4_2_100272D9
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_102235B0 push eax; ret	4_2_102235C4
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_102235B0 push eax; ret	4_2_102235EC
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5CCE96 push ecx; ret	4_2_6C5CCEA9
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5C3960 push ecx; mov dword ptr [esp], 00000000h	4_2_6C5C7481
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C63AC76 push ecx; ret	4_2_6C63AC89

Source: is-AVM6R.tmp.2.dr

Static PE information: section name: entropy: 7.996801480815236

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\heif\heif.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-4IE2K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-Q6F2H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImBatchExtra.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-187E4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-LD7EM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-99KO6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImBatchFormats.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-LHMKI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-OHCKU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImBatchContextMenuHandler.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-3GFF4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImBatchOpenCV.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\webp\webp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-9K996.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\heif\is-A1M78.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\tbb.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Users\user\AppData\Local\Temp\is-AUHB1.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\jbig\jbiglib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-J21TG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\wp_type1ttf.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\potrace.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\jbig\is-9AH33.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-GR2NP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\imagemagick\imagemagick.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	File created: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-27TQD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\wPDFView03.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-7C04I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\imagemagick\is-1E3EV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-LKQB2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\jpeg62.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\libde265.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\pspiHost.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-FBACC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImBatch.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ContextMenuEditor.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-FNB5F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-C4JUH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-8GFDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-7HQ59.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\DirectXTex.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImageMonitor.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\Plugins\webp\is-HNP1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ielib32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\ImBatchContextMenuHandler-X64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-00VUD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-UGCE9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\libheif.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\is-AVM6R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\Program Files (x86)\ImBatch\zlib1.dll (copy)	Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software\ImBatch (32-bit)	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software\ImBatch (32-bit)\ImBatch (32-bit).lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software\ImBatch (32-bit)\Image Monitor (32-bit).lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software\ImBatch (32-bit)\Context Menu Editor (32-bit).lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software\ImBatch (32-bit)\ImBatch (32-bit) on the Web.url	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\High Motion Software\ImBatch (32-bit)\Uninstall ImBatch (32-bit).lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3DC66 IsIconic,

4_2_0EE3DC66

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

4_2_6C5CD5A7

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ImBatch.exe, 00000004.00000002.3934986180.000000000054C000.00000020.00000001.01000000.00000007.sdmp, is-8GFDD.tmp.2.dr

Binary or memory string: SBIEDLL.DLL

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Special instruction interceptor: First address: 210D3BA instructions caused by: Self-modifying code

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Window / User API: threadDelayed 3893	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Window / User API: threadDelayed 2295	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Window / User API: threadDelayed 2509	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\heif\heif.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-Q6F2H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-4IE2K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ImBatchExtra.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-7C04I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-187E4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-LD7EM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\imagemagick\is-1E3EV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-99KO6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ImBatchFormats.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-LHMKI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-OHCKU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-LKQB2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ImBatchContextMenuHandler.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-3GFF4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ImBatchOpenCV.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-FBACC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ContextMenuEditor.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\webp\webp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-FNB5F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-C4JUH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-8GFDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-9K996.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-7HQ59.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\heif\is-A1M78.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\tbb.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ImageMonitor.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\jbig\jbiglib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-AUHB1.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ImBatchContextMenuHandler-X64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\webp\is-HNP1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\ielib32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-J21TG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-00VUD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-UGCE9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\wp_type1ttf.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\potrace.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\jbig\is-9AH33.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\Plugins\imagemagick\imagemagick.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-GR2NP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\is-27TQD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ImBatch\zlib1.dll (copy)	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

API coverage: 3.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe TID: 7536	Thread sleep time: -77860s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe TID: 7556	Thread sleep time: -918000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe TID: 7556	Thread sleep time: -1003600s >= -30000s	Jump to behavior

Queries keyboard layouts

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Sleep loop found (likely to delay execution)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Thread sleep count: Count: 3893 delay: -20

Jump to behavior

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE3A3CC FindFirstFileW,FindClose,	4_2_0EE3A3CC
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE39E64 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	4_2_0EE39E64
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_0EE44A84 FindFirstFileW,FindClose,	4_2_0EE44A84
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1023590A FindFirstFileA,_strlen,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	4_2_1023590A
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_1000D580 FindFirstFileA,FindFirstFileA,FindFirstFileA,	4_2_1000D580
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5D28DF FindFirstFileExW,	4_2_6C5D28DF
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5CD344 FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy,	4_2_6C5CD344

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3B08A GetSystemInfo,

4_2_0EE3B08A

Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: VMware
Source: ImBatch.exe, 00000004.00000002.3938862172.0000000000704000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: GetVirtualMachine
Source: is-8GFDD.tmp.2.dr	Binary or memory string: VMWare GSX
Source: ImBatch.exe, 00000004.00000002.4015052342.0000000007B8C000.00000004.00000020.00020000.00000000.sdmp, ImBatch.exe, 00000004.00000002.3980972653.0000000002324000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: is-8GFDD.tmp.2.dr	Binary or memory string: VMWare ESX
Source: is-8GFDD.tmp.2.dr	Binary or memory string: VMWareU
Source: is-8GFDD.tmp.2.dr	Binary or memory string: vboxservice.exe
Source: is-8GFDD.tmp.2.dr	Binary or memory string: VMWare Express
Source: is-8GFDD.tmp.2.dr	Binary or memory string: VMWare Workstation

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0EE3D3FE IsDebuggerPresent,

4_2_0EE3D3FE

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_102331ED LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_102331ED

Contains functionality to read the PEB

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5D24EB mov eax, dword ptr fs:[00000030h]		4_2_6C5D24EB
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5D0CA3 mov eax, dword ptr fs:[00000030h]		4_2_6C5D0CA3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_058911CF GetProcessHeap,HeapAlloc,

4_2_058911CF

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5CCCC9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C5CCCC9
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5D0504 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C5D0504
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: 4_2_6C5CC6B7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6C5CC6B7

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp

Jump to behavior

Source: is-8GFDD.tmp.2.dr

Binary or memory string: Shell_TrayWndTrayNotifyWndU

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_6C5CCEAB cpuid

4_2_6C5CCEAB

Contains functionality to query locales information (e.g. system language)

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	4_2_0EE3A4B4
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0EE399FC
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: GetLocaleInfoW,	4_2_0EE3D28A
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: _strlen,_strlen,EnumSystemLocalesA,	4_2_1022BAFA
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: _strlen,EnumSystemLocalesA,	4_2_1022BAC3
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: _strlen,EnumSystemLocalesA,	4_2_1022BB80
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,	4_2_1022BBD5

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1DOA7.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ImBatch\ImBatch.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_0589B5FC GetLocalTime,wsprintfA,

4_2_0589B5FC

Source: C:\Program Files (x86)\ImBatch\ImBatch.exe

Code function: 4_2_058910CD GetVersion,

4_2_058910CD

Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1528522
Product:	CloudBasic
Start time:	00:39:51
Start date:	08.10.2024
Sample:	SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	34c8e1d5de3565d30012425d880ab514
SHA1:	866082315a5cdea3d26d8edc905065f509158f61
SHA256:	fb128fb5731c85a480df19fdb74925d5200b1729cf7478a088ec31c0ba944fba
Filetype:	Win32 Executable (generic) a (10002005/4) 98.45%

Windows Analysis Report SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Crypt.12164.3161.exe