Windows Analysis Report
iieCxV2b1n.msi

Overview

General Information

Sample name:	iieCxV2b1n.msi renamed because original name is a hash value
Original sample name:	afbdaa974cdc9624fe94b5c0ca6ce01695570790a68cc9c86ea0619973f13d07.msi
Analysis ID:	1536943
MD5:	d87cc5fb2d4047d442446cc6d2d01cf9
SHA1:	8d2c76bb8248b1c8171c4cc198255d5613afe6fe
SHA256:	afbdaa974cdc9624fe94b5c0ca6ce01695570790a68cc9c86ea0619973f13d07
Tags:	fsb-rodeomsiuser-JAMESWT_MHT
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RedLine Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt	Avira: detection malicious, Label: TR/Agent.skcyd
Source: C:\Users\user\AppData\Local\Temp\ndae	Avira: detection malicious, Label: TR/Agent.skcyd

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Ormolu\dbghelp.dll	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Temp\ndae	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\dbghelp.dll	ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Source: iieCxV2b1n.msi

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ndae	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60907 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60927 version: TLS 1.2

Source:	Binary string: d:\branch_2.5\bin\cximagecrt.pdb0 source: ManyCam.exe, 00000003.00000002.2166338310.0000000010062000.00000002.00000001.01000000.00000004.sdmp, ManyCam.exe, 00000005.00000002.2219366899.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000C.00000002.2466630485.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, cximagecrt.dll.2.dr, cximagecrt.dll.3.dr
Source:	Binary string: d:\branch_2.5\bin\cximagecrt.pdb source: ManyCam.exe, 00000003.00000002.2166338310.0000000010062000.00000002.00000001.01000000.00000004.sdmp, ManyCam.exe, 00000005.00000002.2219366899.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000C.00000002.2466630485.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, cximagecrt.dll.2.dr, cximagecrt.dll.3.dr
Source:	Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb8` source: ManyCam.exe, 00000003.00000002.2162159479.0000000000BED000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000005.00000002.2217621375.000000000188D000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2464370715.0000000000BDD000.00000002.00000001.01000000.00000011.sdmp, highgui099.dll.2.dr, highgui099.dll.3.dr
Source:	Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdb source: ManyCam.exe, 00000003.00000002.2162452316.0000000000CE1000.00000002.00000001.01000000.00000007.sdmp, ManyCam.exe, 00000005.00000002.2217079654.0000000000C11000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 0000000C.00000002.2464752763.00000000012D1000.00000002.00000001.01000000.0000000D.sdmp, cxcore099.dll.2.dr
Source:	Binary string: diaLocatePDB-> Looking for %s... %s%s.pdbFPOPDATAXDATAOMAPFROMOMAPTO$$$IP not set! source: dbghelp.dll.2.dr
Source:	Binary string: wntdll.pdbUGP source: ManyCam.exe, 00000003.00000002.2165395088.00000000043F2000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.2165697387.0000000004750000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218603345.0000000003F27000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218926566.0000000004633000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218747581.0000000004280000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446861312.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446634321.00000000048B7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465924719.000000000461D000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465716029.0000000004260000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465598920.0000000003F0F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704424826.0000000004CE2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704694294.00000000051D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ManyCam.exe, 00000003.00000002.2165395088.00000000043F2000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.2165697387.0000000004750000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218603345.0000000003F27000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218926566.0000000004633000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218747581.0000000004280000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446861312.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446634321.00000000048B7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465924719.000000000461D000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465716029.0000000004260000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465598920.0000000003F0F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704424826.0000000004CE2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704694294.00000000051D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb source: ManyCam.exe, 00000003.00000002.2162159479.0000000000BED000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000005.00000002.2217621375.000000000188D000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2464370715.0000000000BDD000.00000002.00000001.01000000.00000011.sdmp, highgui099.dll.2.dr, highgui099.dll.3.dr
Source:	Binary string: c:\Program Files\OpenCV\bin\cv099.pdb source: ManyCam.exe, 00000003.00000003.2158670135.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.2162785863.0000000000DAF000.00000002.00000001.01000000.00000008.sdmp, ManyCam.exe, 00000005.00000002.2217487218.000000000181F000.00000002.00000001.01000000.0000000E.sdmp, ManyCam.exe, 0000000C.00000002.2464881665.000000000139F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdbu source: ManyCam.exe, 00000003.00000002.2162452316.0000000000CE1000.00000002.00000001.01000000.00000007.sdmp, ManyCam.exe, 00000005.00000002.2217079654.0000000000C11000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 0000000C.00000002.2464752763.00000000012D1000.00000002.00000001.01000000.0000000D.sdmp, cxcore099.dll.2.dr
Source:	Binary string: d:\branch_2.5\bin\ManyCam.pdb source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr
Source:	Binary string: d:\branch_2.5\Bin\CrashRpt.pdb source: ManyCam.exe, 00000003.00000002.2163554374.0000000002012000.00000002.00000001.01000000.00000005.sdmp, ManyCam.exe, 00000005.00000002.2217973739.0000000002012000.00000002.00000001.01000000.0000000F.sdmp, ManyCam.exe, 0000000C.00000002.2465124087.0000000002012000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: dbghelp.pdb source: ManyCam.exe, 00000003.00000002.2166506067.000000006D511000.00000020.00000001.01000000.00000006.sdmp, ManyCam.exe, 00000005.00000002.2219442160.000000006D511000.00000020.00000001.01000000.00000010.sdmp, ManyCam.exe, 0000000C.00000002.2466696009.000000006D511000.00000020.00000001.01000000.00000010.sdmp, dbghelp.dll.2.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError,		3_2_004164A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError,		5_2_004164A0

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60851 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60897 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60942 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60989 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60996 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60997 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60999 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61000 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61002 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61003 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61005 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61006 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61001 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61007 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61008 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61010 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61011 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61012 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61013 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61014 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61015 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61016 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61017 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61018 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61019 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61022 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61021 -> 91.240.118.154:15647

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.240.118.154 ports 1,4,5,6,7,15647

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:60851 -> 91.240.118.154:15647

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GLOBALLAYERNL GLOBALLAYERNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154

Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ManyCam.exe, 00000003.00000002.2161920592.00000000005A4000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000000.2161245446.00000000005A4000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409060950.00000000005A4000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://download.manycam.com
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://download.manycam.com/effects/%s/%s?v=%sBackgroundsDynamicDynamic
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://download.manycam.com/effects/%s/%s?v=%sManyCam
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://download.manycam.comNew
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://download.manycam.comVerdanaThis
Source: ManyCam.exe	String found in binary or memory: http://manycam.com/feedback/?version=%s
Source: ManyCam.exe, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://manycam.com/help/effects
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://manycam.com/upload_effect?filepath=ManyCam
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ManyCam.exe, 00000003.00000002.2164898141.0000000004268000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003D8F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C10000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.000000000504F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: ManyCam.exe, ManyCam.exe, 00000005.00000000.2161245446.00000000005A4000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409060950.00000000005A4000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.com
Source: ManyCam.exe, ManyCam.exe, 00000005.00000000.2161245446.00000000005A4000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409060950.00000000005A4000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.com/codec
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.com/codecVerdanaThis
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.com/codecVerdanaTo
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.com/help/effects/snapshot/these
Source: cximagecrt.dll.2.dr, cximagecrt.dll.3.dr, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.com0
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.comhttp://manycam.com/feedback/?version=%sAnchor
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: MSBuild.exe, 00000011.00000002.2705928640.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/TeiUkREy
Source: MSBuild.exe, 00000011.00000002.2705928640.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/TeiUkREyPO
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 60850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60772
Source: unknown	Network traffic detected: HTTP traffic on port 60838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60770
Source: unknown	Network traffic detected: HTTP traffic on port 60815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60890
Source: unknown	Network traffic detected: HTTP traffic on port 60735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60896
Source: unknown	Network traffic detected: HTTP traffic on port 60849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60782
Source: unknown	Network traffic detected: HTTP traffic on port 60862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60780
Source: unknown	Network traffic detected: HTTP traffic on port 60965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60787
Source: unknown	Network traffic detected: HTTP traffic on port 60770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60786
Source: unknown	Network traffic detected: HTTP traffic on port 60907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60793
Source: unknown	Network traffic detected: HTTP traffic on port 60861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60791
Source: unknown	Network traffic detected: HTTP traffic on port 60941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60798
Source: unknown	Network traffic detected: HTTP traffic on port 60884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60797
Source: unknown	Network traffic detected: HTTP traffic on port 60952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60739
Source: unknown	Network traffic detected: HTTP traffic on port 60928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60971
Source: unknown	Network traffic detected: HTTP traffic on port 60863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60970
Source: unknown	Network traffic detected: HTTP traffic on port 60840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60852
Source: unknown	Network traffic detected: HTTP traffic on port 60886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60973
Source: unknown	Network traffic detected: HTTP traffic on port 60839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60980
Source: unknown	Network traffic detected: HTTP traffic on port 60916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60868
Source: unknown	Network traffic detected: HTTP traffic on port 60940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60987
Source: unknown	Network traffic detected: HTTP traffic on port 60757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60986
Source: unknown	Network traffic detected: HTTP traffic on port 60736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60984
Source: unknown	Network traffic detected: HTTP traffic on port 60978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60990
Source: unknown	Network traffic detected: HTTP traffic on port 60917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60995
Source: unknown	Network traffic detected: HTTP traffic on port 60801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60882
Source: unknown	Network traffic detected: HTTP traffic on port 60967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60880
Source: unknown	Network traffic detected: HTTP traffic on port 60990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60764
Source: unknown	Network traffic detected: HTTP traffic on port 60885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60885
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60937
Source: unknown	Network traffic detected: HTTP traffic on port 60915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60936
Source: unknown	Network traffic detected: HTTP traffic on port 60938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60812
Source: unknown	Network traffic detected: HTTP traffic on port 60829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60810
Source: unknown	Network traffic detected: HTTP traffic on port 60750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60931
Source: unknown	Network traffic detected: HTTP traffic on port 60773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60930
Source: unknown	Network traffic detected: HTTP traffic on port 60979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60828
Source: unknown	Network traffic detected: HTTP traffic on port 60927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60827
Source: unknown	Network traffic detected: HTTP traffic on port 60830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60948
Source: unknown	Network traffic detected: HTTP traffic on port 60784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60821
Source: unknown	Network traffic detected: HTTP traffic on port 60887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60940
Source: unknown	Network traffic detected: HTTP traffic on port 60800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60839
Source: unknown	Network traffic detected: HTTP traffic on port 60980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60959
Source: unknown	Network traffic detected: HTTP traffic on port 60961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60950
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60837
Source: unknown	Network traffic detected: HTTP traffic on port 60926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60836
Source: unknown	Network traffic detected: HTTP traffic on port 60842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60849
Source: unknown	Network traffic detected: HTTP traffic on port 60853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60960
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60845
Source: unknown	Network traffic detected: HTTP traffic on port 60904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60844
Source: unknown	Network traffic detected: HTTP traffic on port 60864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60722
Source: unknown	Network traffic detected: HTTP traffic on port 60751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60962
Source: unknown	Network traffic detected: HTTP traffic on port 60716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60907
Source: unknown	Network traffic detected: HTTP traffic on port 60960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60904
Source: unknown	Network traffic detected: HTTP traffic on port 60937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60903
Source: unknown	Network traffic detected: HTTP traffic on port 60866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60901
Source: unknown	Network traffic detected: HTTP traffic on port 60795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60918
Source: unknown	Network traffic detected: HTTP traffic on port 60959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60915
Source: unknown	Network traffic detected: HTTP traffic on port 60936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60913

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60907 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60927 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.cmd.exe.56800c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 14.2.cmd.exe.56b00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 7.2.cmd.exe.56800c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 17.2.MSBuild.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 14.2.cmd.exe.56b00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\ndae, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process Stats: CPU usage > 49%

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c18e9.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{39F520E4-6237-4FBB-8F2E-71C60962EC87}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1A22.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c18eb.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c18eb.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\6c18eb.msi

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_0050EC90	3_2_0050EC90
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC31B0	3_2_00BC31B0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE619B	3_2_00BE619B
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BEB1E0	3_2_00BEB1E0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE01C0	3_2_00BE01C0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE91C0	3_2_00BE91C0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BDB130	3_2_00BDB130
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC7200	3_2_00BC7200
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BB8380	3_2_00BB8380
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BCE340	3_2_00BCE340
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC7430	3_2_00BC7430
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD1410	3_2_00BD1410
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE640B	3_2_00BE640B
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD35A0	3_2_00BD35A0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC55F0	3_2_00BC55F0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD85E2	3_2_00BD85E2
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC6560	3_2_00BC6560
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BCE680	3_2_00BCE680
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD26F0	3_2_00BD26F0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD16C0	3_2_00BD16C0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD7660	3_2_00BD7660
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE9650	3_2_00BE9650
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE57D0	3_2_00BE57D0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BDB720	3_2_00BDB720
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE8740	3_2_00BE8740
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BB78C0	3_2_00BB78C0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC6986	3_2_00BC6986
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BB0930	3_2_00BB0930
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC7920	3_2_00BC7920
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD9AF0	3_2_00BD9AF0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BDBAE0	3_2_00BDBAE0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD7A10	3_2_00BD7A10
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BEABB0	3_2_00BEABB0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE9B00	3_2_00BE9B00
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE8CF0	3_2_00BE8CF0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BDEC10	3_2_00BDEC10
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE5C10	3_2_00BE5C10
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC3C40	3_2_00BC3C40
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC5E3B	3_2_00BC5E3B
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC4E30	3_2_00BC4E30
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC6E10	3_2_00BC6E10
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD7FB0	3_2_00BD7FB0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_0050EC90	5_2_0050EC90
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7C0D0	5_2_00B7C0D0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BD00D0	5_2_00BD00D0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BB0180	5_2_00BB0180
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BAE120	5_2_00BAE120
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BCE110	5_2_00BCE110
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00C002C0	5_2_00C002C0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B662A0	5_2_00B662A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7E2A0	5_2_00B7E2A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BA02A0	5_2_00BA02A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B682F0	5_2_00B682F0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B642C0	5_2_00B642C0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BD2230	5_2_00BD2230
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BB0209	5_2_00BB0209
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BFE240	5_2_00BFE240
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BF83B0	5_2_00BF83B0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B863A7	5_2_00B863A7
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BFC360	5_2_00BFC360
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00C0E4D0	5_2_00C0E4D0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BC04F0	5_2_00BC04F0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7E5A0	5_2_00B7E5A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BFE5A0	5_2_00BFE5A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BC65F0	5_2_00BC65F0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BEA523	5_2_00BEA523
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BE46B3	5_2_00BE46B3
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B886A9	5_2_00B886A9
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B666E0	5_2_00B666E0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7A6CE	5_2_00B7A6CE
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BBC670	5_2_00BBC670
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BC4660	5_2_00BC4660
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7A650	5_2_00B7A650
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00C0C790	5_2_00C0C790
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BA4710	5_2_00BA4710
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BC8700	5_2_00BC8700
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7E8B0	5_2_00B7E8B0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BAA890	5_2_00BAA890
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7A88E	5_2_00B7A88E
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BDA883	5_2_00BDA883
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B848F8	5_2_00B848F8
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BCA8E0	5_2_00BCA8E0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7A810	5_2_00B7A810

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Ormolu\CrashRpt.dll C28E0AEC124902E948C554436C0EBBEBBA9FC91C906CE2CD887FADA0C64E3386
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe 7C4EB51A737A81C163F95B50EC54518B82FCF91389D0560E855F3E26CEC07282

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 00416740 appears 60 times
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 00BCB4C0 appears 173 times
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 00BD2CB0 appears 120 times
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 00BCB420 appears 78 times
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 004B77A0 appears 100 times
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 004B76D0 appears 36 times
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 0047BCF0 appears 141 times
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: String function: 00BA6DF0 appears 231 times
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: String function: 00416740 appears 90 times
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: String function: 004B77A0 appears 101 times
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: String function: 004B76D0 appears 36 times
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: String function: 0041A3B0 appears 36 times
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: String function: 0047BCF0 appears 141 times

PE file contains executable resources (Code or Archives)

Source: CrashRpt.dll.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: CrashRpt.dll.3.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Yara signature match

Source: 7.2.cmd.exe.56800c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 14.2.cmd.exe.56b00c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 7.2.cmd.exe.56800c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 17.2.MSBuild.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 14.2.cmd.exe.56b00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\ndae, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 7.2.cmd.exe.56800c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.cmd.exe.56b00c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: rsjddfw.2.dr, rsjddfw.3.dr

Binary or memory string: Q.slN

Source: classification engine

Classification label: mal100.troj.evad.winMSI@23/43@0/1

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_004B7920 GetLastError,FormatMessageW,GlobalFree,

3_2_004B7920

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_004B2100 CoCreateInstance,

3_2_004B2100

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_00488A00 FindResourceW,GetLastError,SizeofResource,GetLastError,GetLastError,

3_2_00488A00

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML1A51.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\4a883fd97a304d9aac790bba9e5560e1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF3044E6FF2211BFB4.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: iieCxV2b1n.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%

Source: iieCxV2b1n.msi

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\iieCxV2b1n.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe "C:\Users\user\AppData\Local\Ormolu\ManyCam.exe"
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Local\Ormolu\ManyCam.exe"
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process created: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe "C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe "C:\Users\user\AppData\Local\Ormolu\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Local\Ormolu\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process created: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: cximagecrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: cxcore099.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: cv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: highgui099.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: crashrpt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippopencv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippopencv097.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippcv-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippcv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippcv20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippi-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippi20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ipps-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ipps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ipps20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippvm-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippvm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippvm20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippcc-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippcc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippcc20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: mkl_p4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: mkl_p3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: mkl_def.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: pcaui.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cximagecrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cxcore099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: highgui099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: crashrpt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippopencv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippopencv097.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcv-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcv20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippi-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippi20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ipps-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ipps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ipps20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippvm-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippvm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippvm20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcc-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcc20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: mkl_p4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: mkl_p3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: mkl_def.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: pcaui.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cximagecrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cxcore099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: highgui099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: crashrpt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippopencv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippopencv097.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcv-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcv20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippi-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippi20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ipps-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ipps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ipps20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippvm-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippvm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippvm20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcc-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcc20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: mkl_p4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: mkl_p3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: mkl_def.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: pcaui.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: exuquepx.7.dr

LNK file: ..\..\Roaming\demoArchivebcz\ManyCam.exe

Source: iieCxV2b1n.msi

Static file information: File size 2990080 > 1048576

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: d:\branch_2.5\bin\cximagecrt.pdb0 source: ManyCam.exe, 00000003.00000002.2166338310.0000000010062000.00000002.00000001.01000000.00000004.sdmp, ManyCam.exe, 00000005.00000002.2219366899.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000C.00000002.2466630485.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, cximagecrt.dll.2.dr, cximagecrt.dll.3.dr
Source:	Binary string: d:\branch_2.5\bin\cximagecrt.pdb source: ManyCam.exe, 00000003.00000002.2166338310.0000000010062000.00000002.00000001.01000000.00000004.sdmp, ManyCam.exe, 00000005.00000002.2219366899.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000C.00000002.2466630485.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, cximagecrt.dll.2.dr, cximagecrt.dll.3.dr
Source:	Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb8` source: ManyCam.exe, 00000003.00000002.2162159479.0000000000BED000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000005.00000002.2217621375.000000000188D000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2464370715.0000000000BDD000.00000002.00000001.01000000.00000011.sdmp, highgui099.dll.2.dr, highgui099.dll.3.dr
Source:	Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdb source: ManyCam.exe, 00000003.00000002.2162452316.0000000000CE1000.00000002.00000001.01000000.00000007.sdmp, ManyCam.exe, 00000005.00000002.2217079654.0000000000C11000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 0000000C.00000002.2464752763.00000000012D1000.00000002.00000001.01000000.0000000D.sdmp, cxcore099.dll.2.dr
Source:	Binary string: diaLocatePDB-> Looking for %s... %s%s.pdbFPOPDATAXDATAOMAPFROMOMAPTO$$$IP not set! source: dbghelp.dll.2.dr
Source:	Binary string: wntdll.pdbUGP source: ManyCam.exe, 00000003.00000002.2165395088.00000000043F2000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.2165697387.0000000004750000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218603345.0000000003F27000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218926566.0000000004633000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218747581.0000000004280000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446861312.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446634321.00000000048B7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465924719.000000000461D000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465716029.0000000004260000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465598920.0000000003F0F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704424826.0000000004CE2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704694294.00000000051D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ManyCam.exe, 00000003.00000002.2165395088.00000000043F2000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.2165697387.0000000004750000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218603345.0000000003F27000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218926566.0000000004633000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218747581.0000000004280000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446861312.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446634321.00000000048B7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465924719.000000000461D000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465716029.0000000004260000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465598920.0000000003F0F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704424826.0000000004CE2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704694294.00000000051D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb source: ManyCam.exe, 00000003.00000002.2162159479.0000000000BED000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000005.00000002.2217621375.000000000188D000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2464370715.0000000000BDD000.00000002.00000001.01000000.00000011.sdmp, highgui099.dll.2.dr, highgui099.dll.3.dr
Source:	Binary string: c:\Program Files\OpenCV\bin\cv099.pdb source: ManyCam.exe, 00000003.00000003.2158670135.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.2162785863.0000000000DAF000.00000002.00000001.01000000.00000008.sdmp, ManyCam.exe, 00000005.00000002.2217487218.000000000181F000.00000002.00000001.01000000.0000000E.sdmp, ManyCam.exe, 0000000C.00000002.2464881665.000000000139F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdbu source: ManyCam.exe, 00000003.00000002.2162452316.0000000000CE1000.00000002.00000001.01000000.00000007.sdmp, ManyCam.exe, 00000005.00000002.2217079654.0000000000C11000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 0000000C.00000002.2464752763.00000000012D1000.00000002.00000001.01000000.0000000D.sdmp, cxcore099.dll.2.dr
Source:	Binary string: d:\branch_2.5\bin\ManyCam.pdb source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr
Source:	Binary string: d:\branch_2.5\Bin\CrashRpt.pdb source: ManyCam.exe, 00000003.00000002.2163554374.0000000002012000.00000002.00000001.01000000.00000005.sdmp, ManyCam.exe, 00000005.00000002.2217973739.0000000002012000.00000002.00000001.01000000.0000000F.sdmp, ManyCam.exe, 0000000C.00000002.2465124087.0000000002012000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: dbghelp.pdb source: ManyCam.exe, 00000003.00000002.2166506067.000000006D511000.00000020.00000001.01000000.00000006.sdmp, ManyCam.exe, 00000005.00000002.2219442160.000000006D511000.00000020.00000001.01000000.00000010.sdmp, ManyCam.exe, 0000000C.00000002.2466696009.000000006D511000.00000020.00000001.01000000.00000010.sdmp, dbghelp.dll.2.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_0052309D IsProcessorFeaturePresent,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,InterlockedCompareExchange,GetProcessHeap,HeapFree,

3_2_0052309D

PE file contains an invalid checksum

Source: dbghelp.dll.3.dr	Static PE information: real checksum: 0x8050c should be: 0x7c27e
Source: dbghelp.dll.2.dr	Static PE information: real checksum: 0x8050c should be: 0x7c27e
Source: ndae.7.dr	Static PE information: real checksum: 0x0 should be: 0xc864a
Source: svubpwldttjkvt.14.dr	Static PE information: real checksum: 0x0 should be: 0xc864a

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_005242D1 push ecx; ret	3_2_005242E4
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BEC355 push ecx; ret	3_2_00BEC368
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_005242D1 push ecx; ret	5_2_005242E4
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00C10361 push ecx; ret	5_2_00C10374

Source: ndae.7.dr	Static PE information: section name: .text entropy: 6.816445298936949
Source: svubpwldttjkvt.14.dr	Static PE information: section name: .text entropy: 6.816445298936949

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\cximagecrt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\cximagecrt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\cv099.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\dbghelp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\cxcore099.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\cxcore099.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ndae	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\highgui099.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\highgui099.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\CrashRpt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\cv099.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\CrashRpt.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ndae			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NDAE
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\SVUBPWLDTTJKVT

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	API/Special instruction interceptor: Address: 6D0B7C44
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	API/Special instruction interceptor: Address: 6D0B7C44
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	API/Special instruction interceptor: Address: 6D0B7945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6D0B3B54

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2E10000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7859			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1927			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ndae			Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe

API coverage: 0.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6220	Thread sleep count: 7859 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6220	Thread sleep count: 1927 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -45131s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -30813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -45600s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -53417s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -46962s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -38586s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -32442s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -40961s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -58805s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -47931s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -44954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -52446s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57876s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57754s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -30007s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57617s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -38452s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -46862s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -39373s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -31194s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -42652s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -58977s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -48539s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -45019s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -57848s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -54280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -55560s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -36611s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -51119s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -38217s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -30921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -39707s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -32320s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -54890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -54781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -52051s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -54672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -37406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -54562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -57971s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -54453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError,		3_2_004164A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError,		5_2_004164A0

Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe

Code function: 5_2_00C0D5E0 GetSystemInfo,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,QueryPerformanceFrequency,

5_2_00C0D5E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45131	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45600	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53417	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46962	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38586	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32442	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40961	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58805	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47931	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52446	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57876	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57754	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30007	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57617	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46862	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39373	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31194	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42652	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58977	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48539	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45019	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57848	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36611	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51119	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38217	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39707	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32320	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52051	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57971	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: MSBuild.exe, 0000000B.00000002.4602256407.0000000000C0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_00523722 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

3_2_00523722

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

3_2_0052309D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_00523077 GetProcessHeap,HeapFree,

3_2_00523077

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe "C:\Users\user\AppData\Local\Ormolu\ManyCam.exe"

Jump to behavior

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00523722 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_00523722
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BEBBB6 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_00BEBBB6
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00523722 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	5_2_00523722

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	NtQuerySystemInformation: Direct from: 0x6D513079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	NtProtectVirtualMemory: Direct from: 0x6D042DF7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	NtSetInformationThread: Direct from: 0x6D51245D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	NtProtectVirtualMemory: Direct from: 0x6C91E5B8	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B6B1000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 8AD008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B6B1000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: DA6008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\local\ormolu\manycam.exe"
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\demoarchivebcz\manycam.exe"
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\demoarchivebcz\manycam.exe"
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\local\ormolu\manycam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\demoarchivebcz\manycam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\demoarchivebcz\manycam.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_00524748 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_00524748

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_004170D0 memset,GetVersionExW,

3_2_004170D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 7.2.cmd.exe.56800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.56b00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.56800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.MSBuild.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.56b00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2704945415.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2705147083.0000000000E22000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2447289622.0000000005680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ndae, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt, type: DROPPED

Yara detected Credential Stealer

Source: Yara match	File source: 7.2.cmd.exe.56800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.56b00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.56800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.MSBuild.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.56b00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2704945415.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2705147083.0000000000E22000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2447289622.0000000005680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ndae, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt, type: DROPPED

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 7.2.cmd.exe.56800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.56b00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.56800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.MSBuild.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.56b00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2704945415.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2705147083.0000000000E22000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2447289622.0000000005680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ndae, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.240.118.154	unknown	unknown		49453	GLOBALLAYERNL	true

Contacted Domains

Name	IP	Active
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt	Avira: detection malicious, Label: TR/Agent.skcyd
Source: C:\Users\user\AppData\Local\Temp\ndae	Avira: detection malicious, Label: TR/Agent.skcyd

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Ormolu\dbghelp.dll	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Temp\ndae	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\dbghelp.dll	ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Source: iieCxV2b1n.msi

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ndae	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60907 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60927 version: TLS 1.2

Source:	Binary string: d:\branch_2.5\bin\cximagecrt.pdb0 source: ManyCam.exe, 00000003.00000002.2166338310.0000000010062000.00000002.00000001.01000000.00000004.sdmp, ManyCam.exe, 00000005.00000002.2219366899.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000C.00000002.2466630485.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, cximagecrt.dll.2.dr, cximagecrt.dll.3.dr
Source:	Binary string: d:\branch_2.5\bin\cximagecrt.pdb source: ManyCam.exe, 00000003.00000002.2166338310.0000000010062000.00000002.00000001.01000000.00000004.sdmp, ManyCam.exe, 00000005.00000002.2219366899.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000C.00000002.2466630485.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, cximagecrt.dll.2.dr, cximagecrt.dll.3.dr
Source:	Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb8` source: ManyCam.exe, 00000003.00000002.2162159479.0000000000BED000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000005.00000002.2217621375.000000000188D000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2464370715.0000000000BDD000.00000002.00000001.01000000.00000011.sdmp, highgui099.dll.2.dr, highgui099.dll.3.dr
Source:	Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdb source: ManyCam.exe, 00000003.00000002.2162452316.0000000000CE1000.00000002.00000001.01000000.00000007.sdmp, ManyCam.exe, 00000005.00000002.2217079654.0000000000C11000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 0000000C.00000002.2464752763.00000000012D1000.00000002.00000001.01000000.0000000D.sdmp, cxcore099.dll.2.dr
Source:	Binary string: diaLocatePDB-> Looking for %s... %s%s.pdbFPOPDATAXDATAOMAPFROMOMAPTO$$$IP not set! source: dbghelp.dll.2.dr
Source:	Binary string: wntdll.pdbUGP source: ManyCam.exe, 00000003.00000002.2165395088.00000000043F2000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.2165697387.0000000004750000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218603345.0000000003F27000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218926566.0000000004633000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218747581.0000000004280000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446861312.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446634321.00000000048B7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465924719.000000000461D000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465716029.0000000004260000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465598920.0000000003F0F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704424826.0000000004CE2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704694294.00000000051D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ManyCam.exe, 00000003.00000002.2165395088.00000000043F2000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.2165697387.0000000004750000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218603345.0000000003F27000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218926566.0000000004633000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218747581.0000000004280000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446861312.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446634321.00000000048B7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465924719.000000000461D000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465716029.0000000004260000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465598920.0000000003F0F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704424826.0000000004CE2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704694294.00000000051D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb source: ManyCam.exe, 00000003.00000002.2162159479.0000000000BED000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000005.00000002.2217621375.000000000188D000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2464370715.0000000000BDD000.00000002.00000001.01000000.00000011.sdmp, highgui099.dll.2.dr, highgui099.dll.3.dr
Source:	Binary string: c:\Program Files\OpenCV\bin\cv099.pdb source: ManyCam.exe, 00000003.00000003.2158670135.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.2162785863.0000000000DAF000.00000002.00000001.01000000.00000008.sdmp, ManyCam.exe, 00000005.00000002.2217487218.000000000181F000.00000002.00000001.01000000.0000000E.sdmp, ManyCam.exe, 0000000C.00000002.2464881665.000000000139F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdbu source: ManyCam.exe, 00000003.00000002.2162452316.0000000000CE1000.00000002.00000001.01000000.00000007.sdmp, ManyCam.exe, 00000005.00000002.2217079654.0000000000C11000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 0000000C.00000002.2464752763.00000000012D1000.00000002.00000001.01000000.0000000D.sdmp, cxcore099.dll.2.dr
Source:	Binary string: d:\branch_2.5\bin\ManyCam.pdb source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr
Source:	Binary string: d:\branch_2.5\Bin\CrashRpt.pdb source: ManyCam.exe, 00000003.00000002.2163554374.0000000002012000.00000002.00000001.01000000.00000005.sdmp, ManyCam.exe, 00000005.00000002.2217973739.0000000002012000.00000002.00000001.01000000.0000000F.sdmp, ManyCam.exe, 0000000C.00000002.2465124087.0000000002012000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: dbghelp.pdb source: ManyCam.exe, 00000003.00000002.2166506067.000000006D511000.00000020.00000001.01000000.00000006.sdmp, ManyCam.exe, 00000005.00000002.2219442160.000000006D511000.00000020.00000001.01000000.00000010.sdmp, ManyCam.exe, 0000000C.00000002.2466696009.000000006D511000.00000020.00000001.01000000.00000010.sdmp, dbghelp.dll.2.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError,		3_2_004164A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError,		5_2_004164A0

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60851 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60897 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60942 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60989 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60996 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60997 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:60999 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61000 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61002 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61003 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61005 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61006 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61001 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61007 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61008 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61010 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61011 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61012 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61013 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61014 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61015 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61016 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61017 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61018 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61019 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61022 -> 91.240.118.154:15647
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.6:61021 -> 91.240.118.154:15647

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.240.118.154 ports 1,4,5,6,7,15647

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:60851 -> 91.240.118.154:15647

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GLOBALLAYERNL GLOBALLAYERNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.154

Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ManyCam.exe, 00000003.00000002.2161920592.00000000005A4000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000000.2161245446.00000000005A4000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409060950.00000000005A4000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://download.manycam.com
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://download.manycam.com/effects/%s/%s?v=%sBackgroundsDynamicDynamic
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://download.manycam.com/effects/%s/%s?v=%sManyCam
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://download.manycam.comNew
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://download.manycam.comVerdanaThis
Source: ManyCam.exe	String found in binary or memory: http://manycam.com/feedback/?version=%s
Source: ManyCam.exe, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://manycam.com/help/effects
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://manycam.com/upload_effect?filepath=ManyCam
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ManyCam.exe, 00000003.00000002.2164898141.0000000004268000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003D8F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C10000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.000000000504F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: ManyCam.exe, ManyCam.exe, 00000005.00000000.2161245446.00000000005A4000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409060950.00000000005A4000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.com
Source: ManyCam.exe, ManyCam.exe, 00000005.00000000.2161245446.00000000005A4000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409060950.00000000005A4000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.com/codec
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.com/codecVerdanaThis
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.com/codecVerdanaTo
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.com/help/effects/snapshot/these
Source: cximagecrt.dll.2.dr, cximagecrt.dll.3.dr, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.com0
Source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr	String found in binary or memory: http://www.manycam.comhttp://manycam.com/feedback/?version=%sAnchor
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: MSBuild.exe, 00000011.00000002.2705928640.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/TeiUkREy
Source: MSBuild.exe, 00000011.00000002.2705928640.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/TeiUkREyPO
Source: ManyCam.exe, 00000003.00000002.2164898141.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218473328.0000000003DE5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446759799.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465472629.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 60850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60772
Source: unknown	Network traffic detected: HTTP traffic on port 60838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60770
Source: unknown	Network traffic detected: HTTP traffic on port 60815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60890
Source: unknown	Network traffic detected: HTTP traffic on port 60735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60896
Source: unknown	Network traffic detected: HTTP traffic on port 60849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60782
Source: unknown	Network traffic detected: HTTP traffic on port 60862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60780
Source: unknown	Network traffic detected: HTTP traffic on port 60965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60787
Source: unknown	Network traffic detected: HTTP traffic on port 60770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60786
Source: unknown	Network traffic detected: HTTP traffic on port 60907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60793
Source: unknown	Network traffic detected: HTTP traffic on port 60861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60791
Source: unknown	Network traffic detected: HTTP traffic on port 60941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60798
Source: unknown	Network traffic detected: HTTP traffic on port 60884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60797
Source: unknown	Network traffic detected: HTTP traffic on port 60952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60739
Source: unknown	Network traffic detected: HTTP traffic on port 60928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60971
Source: unknown	Network traffic detected: HTTP traffic on port 60863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60970
Source: unknown	Network traffic detected: HTTP traffic on port 60840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60852
Source: unknown	Network traffic detected: HTTP traffic on port 60886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60973
Source: unknown	Network traffic detected: HTTP traffic on port 60839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60980
Source: unknown	Network traffic detected: HTTP traffic on port 60916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60868
Source: unknown	Network traffic detected: HTTP traffic on port 60940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60987
Source: unknown	Network traffic detected: HTTP traffic on port 60757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60986
Source: unknown	Network traffic detected: HTTP traffic on port 60736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60984
Source: unknown	Network traffic detected: HTTP traffic on port 60978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60990
Source: unknown	Network traffic detected: HTTP traffic on port 60917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60995
Source: unknown	Network traffic detected: HTTP traffic on port 60801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60882
Source: unknown	Network traffic detected: HTTP traffic on port 60967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60880
Source: unknown	Network traffic detected: HTTP traffic on port 60990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60764
Source: unknown	Network traffic detected: HTTP traffic on port 60885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60885
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60937
Source: unknown	Network traffic detected: HTTP traffic on port 60915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60936
Source: unknown	Network traffic detected: HTTP traffic on port 60938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60812
Source: unknown	Network traffic detected: HTTP traffic on port 60829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60810
Source: unknown	Network traffic detected: HTTP traffic on port 60750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60931
Source: unknown	Network traffic detected: HTTP traffic on port 60773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60930
Source: unknown	Network traffic detected: HTTP traffic on port 60979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60828
Source: unknown	Network traffic detected: HTTP traffic on port 60927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60827
Source: unknown	Network traffic detected: HTTP traffic on port 60830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60948
Source: unknown	Network traffic detected: HTTP traffic on port 60784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60821
Source: unknown	Network traffic detected: HTTP traffic on port 60887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60940
Source: unknown	Network traffic detected: HTTP traffic on port 60800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60839
Source: unknown	Network traffic detected: HTTP traffic on port 60980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60959
Source: unknown	Network traffic detected: HTTP traffic on port 60961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60950
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60837
Source: unknown	Network traffic detected: HTTP traffic on port 60926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60836
Source: unknown	Network traffic detected: HTTP traffic on port 60842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60849
Source: unknown	Network traffic detected: HTTP traffic on port 60853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60960
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60845
Source: unknown	Network traffic detected: HTTP traffic on port 60904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60844
Source: unknown	Network traffic detected: HTTP traffic on port 60864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60722
Source: unknown	Network traffic detected: HTTP traffic on port 60751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60962
Source: unknown	Network traffic detected: HTTP traffic on port 60716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60907
Source: unknown	Network traffic detected: HTTP traffic on port 60960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60904
Source: unknown	Network traffic detected: HTTP traffic on port 60937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60903
Source: unknown	Network traffic detected: HTTP traffic on port 60866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60901
Source: unknown	Network traffic detected: HTTP traffic on port 60795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60918
Source: unknown	Network traffic detected: HTTP traffic on port 60959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60915
Source: unknown	Network traffic detected: HTTP traffic on port 60936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60913

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60907 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.6:60927 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.cmd.exe.56800c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 14.2.cmd.exe.56b00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 7.2.cmd.exe.56800c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 17.2.MSBuild.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 14.2.cmd.exe.56b00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\ndae, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process Stats: CPU usage > 49%

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c18e9.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{39F520E4-6237-4FBB-8F2E-71C60962EC87}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1A22.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c18eb.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c18eb.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\6c18eb.msi

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_0050EC90	3_2_0050EC90
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC31B0	3_2_00BC31B0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE619B	3_2_00BE619B
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BEB1E0	3_2_00BEB1E0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE01C0	3_2_00BE01C0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE91C0	3_2_00BE91C0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BDB130	3_2_00BDB130
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC7200	3_2_00BC7200
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BB8380	3_2_00BB8380
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BCE340	3_2_00BCE340
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC7430	3_2_00BC7430
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD1410	3_2_00BD1410
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE640B	3_2_00BE640B
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD35A0	3_2_00BD35A0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC55F0	3_2_00BC55F0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD85E2	3_2_00BD85E2
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC6560	3_2_00BC6560
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BCE680	3_2_00BCE680
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD26F0	3_2_00BD26F0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD16C0	3_2_00BD16C0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD7660	3_2_00BD7660
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE9650	3_2_00BE9650
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE57D0	3_2_00BE57D0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BDB720	3_2_00BDB720
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE8740	3_2_00BE8740
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BB78C0	3_2_00BB78C0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC6986	3_2_00BC6986
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BB0930	3_2_00BB0930
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC7920	3_2_00BC7920
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD9AF0	3_2_00BD9AF0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BDBAE0	3_2_00BDBAE0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD7A10	3_2_00BD7A10
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BEABB0	3_2_00BEABB0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE9B00	3_2_00BE9B00
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE8CF0	3_2_00BE8CF0
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BDEC10	3_2_00BDEC10
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BE5C10	3_2_00BE5C10
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC3C40	3_2_00BC3C40
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC5E3B	3_2_00BC5E3B
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC4E30	3_2_00BC4E30
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BC6E10	3_2_00BC6E10
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BD7FB0	3_2_00BD7FB0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_0050EC90	5_2_0050EC90
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7C0D0	5_2_00B7C0D0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BD00D0	5_2_00BD00D0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BB0180	5_2_00BB0180
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BAE120	5_2_00BAE120
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BCE110	5_2_00BCE110
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00C002C0	5_2_00C002C0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B662A0	5_2_00B662A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7E2A0	5_2_00B7E2A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BA02A0	5_2_00BA02A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B682F0	5_2_00B682F0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B642C0	5_2_00B642C0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BD2230	5_2_00BD2230
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BB0209	5_2_00BB0209
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BFE240	5_2_00BFE240
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BF83B0	5_2_00BF83B0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B863A7	5_2_00B863A7
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BFC360	5_2_00BFC360
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00C0E4D0	5_2_00C0E4D0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BC04F0	5_2_00BC04F0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7E5A0	5_2_00B7E5A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BFE5A0	5_2_00BFE5A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BC65F0	5_2_00BC65F0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BEA523	5_2_00BEA523
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BE46B3	5_2_00BE46B3
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B886A9	5_2_00B886A9
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B666E0	5_2_00B666E0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7A6CE	5_2_00B7A6CE
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BBC670	5_2_00BBC670
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BC4660	5_2_00BC4660
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7A650	5_2_00B7A650
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00C0C790	5_2_00C0C790
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BA4710	5_2_00BA4710
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BC8700	5_2_00BC8700
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7E8B0	5_2_00B7E8B0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BAA890	5_2_00BAA890
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7A88E	5_2_00B7A88E
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BDA883	5_2_00BDA883
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B848F8	5_2_00B848F8
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00BCA8E0	5_2_00BCA8E0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00B7A810	5_2_00B7A810

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Ormolu\CrashRpt.dll C28E0AEC124902E948C554436C0EBBEBBA9FC91C906CE2CD887FADA0C64E3386
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe 7C4EB51A737A81C163F95B50EC54518B82FCF91389D0560E855F3E26CEC07282

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 00416740 appears 60 times
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 00BCB4C0 appears 173 times
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 00BD2CB0 appears 120 times
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 00BCB420 appears 78 times
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 004B77A0 appears 100 times
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 004B76D0 appears 36 times
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: String function: 0047BCF0 appears 141 times
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: String function: 00BA6DF0 appears 231 times
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: String function: 00416740 appears 90 times
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: String function: 004B77A0 appears 101 times
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: String function: 004B76D0 appears 36 times
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: String function: 0041A3B0 appears 36 times
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: String function: 0047BCF0 appears 141 times

PE file contains executable resources (Code or Archives)

Source: CrashRpt.dll.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: CrashRpt.dll.3.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Yara signature match

Source: 7.2.cmd.exe.56800c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 14.2.cmd.exe.56b00c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 7.2.cmd.exe.56800c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 17.2.MSBuild.exe.e20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 14.2.cmd.exe.56b00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\ndae, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 7.2.cmd.exe.56800c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.cmd.exe.56b00c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: rsjddfw.2.dr, rsjddfw.3.dr

Binary or memory string: Q.slN

Source: classification engine

Classification label: mal100.troj.evad.winMSI@23/43@0/1

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_004B7920 GetLastError,FormatMessageW,GlobalFree,

3_2_004B7920

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_004B2100 CoCreateInstance,

3_2_004B2100

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_00488A00 FindResourceW,GetLastError,SizeofResource,GetLastError,GetLastError,

3_2_00488A00

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML1A51.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\4a883fd97a304d9aac790bba9e5560e1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF3044E6FF2211BFB4.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: iieCxV2b1n.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%

Source: iieCxV2b1n.msi

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\iieCxV2b1n.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe "C:\Users\user\AppData\Local\Ormolu\ManyCam.exe"
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Local\Ormolu\ManyCam.exe"
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process created: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe "C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe"
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe "C:\Users\user\AppData\Local\Ormolu\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Local\Ormolu\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process created: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: cximagecrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: cxcore099.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: cv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: highgui099.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: crashrpt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippopencv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippopencv097.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippcv-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippcv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippcv20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippi-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippi20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ipps-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ipps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ipps20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippvm-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippvm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippvm20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippcc-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippcc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ippcc20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: mkl_p4.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: mkl_p3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: mkl_def.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: pcaui.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cximagecrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cxcore099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: highgui099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: crashrpt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippopencv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippopencv097.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcv-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcv20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippi-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippi20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ipps-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ipps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ipps20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippvm-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippvm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippvm20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcc-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcc20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: mkl_p4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: mkl_p3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: mkl_def.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: pcaui.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cximagecrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cxcore099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: highgui099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: crashrpt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippopencv099.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippopencv097.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcv-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcv20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippi-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippi20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ipps-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ipps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ipps20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippvm-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippvm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippvm20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcc-5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: ippcc20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: mkl_p4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: mkl_p3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: mkl_def.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: pcaui.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\pcaui.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: exuquepx.7.dr

LNK file: ..\..\Roaming\demoArchivebcz\ManyCam.exe

Source: iieCxV2b1n.msi

Static file information: File size 2990080 > 1048576

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: d:\branch_2.5\bin\cximagecrt.pdb0 source: ManyCam.exe, 00000003.00000002.2166338310.0000000010062000.00000002.00000001.01000000.00000004.sdmp, ManyCam.exe, 00000005.00000002.2219366899.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000C.00000002.2466630485.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, cximagecrt.dll.2.dr, cximagecrt.dll.3.dr
Source:	Binary string: d:\branch_2.5\bin\cximagecrt.pdb source: ManyCam.exe, 00000003.00000002.2166338310.0000000010062000.00000002.00000001.01000000.00000004.sdmp, ManyCam.exe, 00000005.00000002.2219366899.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, ManyCam.exe, 0000000C.00000002.2466630485.0000000010062000.00000002.00000001.01000000.0000000C.sdmp, cximagecrt.dll.2.dr, cximagecrt.dll.3.dr
Source:	Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb8` source: ManyCam.exe, 00000003.00000002.2162159479.0000000000BED000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000005.00000002.2217621375.000000000188D000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2464370715.0000000000BDD000.00000002.00000001.01000000.00000011.sdmp, highgui099.dll.2.dr, highgui099.dll.3.dr
Source:	Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdb source: ManyCam.exe, 00000003.00000002.2162452316.0000000000CE1000.00000002.00000001.01000000.00000007.sdmp, ManyCam.exe, 00000005.00000002.2217079654.0000000000C11000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 0000000C.00000002.2464752763.00000000012D1000.00000002.00000001.01000000.0000000D.sdmp, cxcore099.dll.2.dr
Source:	Binary string: diaLocatePDB-> Looking for %s... %s%s.pdbFPOPDATAXDATAOMAPFROMOMAPTO$$$IP not set! source: dbghelp.dll.2.dr
Source:	Binary string: wntdll.pdbUGP source: ManyCam.exe, 00000003.00000002.2165395088.00000000043F2000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.2165697387.0000000004750000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218603345.0000000003F27000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218926566.0000000004633000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218747581.0000000004280000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446861312.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446634321.00000000048B7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465924719.000000000461D000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465716029.0000000004260000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465598920.0000000003F0F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704424826.0000000004CE2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704694294.00000000051D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ManyCam.exe, 00000003.00000002.2165395088.00000000043F2000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.2165697387.0000000004750000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218603345.0000000003F27000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218926566.0000000004633000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 00000005.00000002.2218747581.0000000004280000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446861312.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000007.00000002.2446634321.00000000048B7000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465924719.000000000461D000.00000004.00000001.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465716029.0000000004260000.00000004.00000800.00020000.00000000.sdmp, ManyCam.exe, 0000000C.00000002.2465598920.0000000003F0F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704424826.0000000004CE2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2704694294.00000000051D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\highgui099.pdb source: ManyCam.exe, 00000003.00000002.2162159479.0000000000BED000.00000002.00000001.01000000.00000009.sdmp, ManyCam.exe, 00000005.00000002.2217621375.000000000188D000.00000002.00000001.01000000.00000011.sdmp, ManyCam.exe, 0000000C.00000002.2464370715.0000000000BDD000.00000002.00000001.01000000.00000011.sdmp, highgui099.dll.2.dr, highgui099.dll.3.dr
Source:	Binary string: c:\Program Files\OpenCV\bin\cv099.pdb source: ManyCam.exe, 00000003.00000003.2158670135.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, ManyCam.exe, 00000003.00000002.2162785863.0000000000DAF000.00000002.00000001.01000000.00000008.sdmp, ManyCam.exe, 00000005.00000002.2217487218.000000000181F000.00000002.00000001.01000000.0000000E.sdmp, ManyCam.exe, 0000000C.00000002.2464881665.000000000139F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\Program Files\OpenCV\bin\cxcore099.pdbu source: ManyCam.exe, 00000003.00000002.2162452316.0000000000CE1000.00000002.00000001.01000000.00000007.sdmp, ManyCam.exe, 00000005.00000002.2217079654.0000000000C11000.00000002.00000001.01000000.0000000D.sdmp, ManyCam.exe, 0000000C.00000002.2464752763.00000000012D1000.00000002.00000001.01000000.0000000D.sdmp, cxcore099.dll.2.dr
Source:	Binary string: d:\branch_2.5\bin\ManyCam.pdb source: ManyCam.exe, 00000003.00000000.2152038111.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000003.00000002.2161766085.000000000053B000.00000002.00000001.01000000.00000003.sdmp, ManyCam.exe, 00000005.00000002.2216719272.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 00000005.00000000.2161179940.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000002.2464174605.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe, 0000000C.00000000.2409004618.000000000053B000.00000002.00000001.01000000.0000000B.sdmp, ManyCam.exe.2.dr, ManyCam.exe.3.dr
Source:	Binary string: d:\branch_2.5\Bin\CrashRpt.pdb source: ManyCam.exe, 00000003.00000002.2163554374.0000000002012000.00000002.00000001.01000000.00000005.sdmp, ManyCam.exe, 00000005.00000002.2217973739.0000000002012000.00000002.00000001.01000000.0000000F.sdmp, ManyCam.exe, 0000000C.00000002.2465124087.0000000002012000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: dbghelp.pdb source: ManyCam.exe, 00000003.00000002.2166506067.000000006D511000.00000020.00000001.01000000.00000006.sdmp, ManyCam.exe, 00000005.00000002.2219442160.000000006D511000.00000020.00000001.01000000.00000010.sdmp, ManyCam.exe, 0000000C.00000002.2466696009.000000006D511000.00000020.00000001.01000000.00000010.sdmp, dbghelp.dll.2.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

3_2_0052309D

PE file contains an invalid checksum

Source: dbghelp.dll.3.dr	Static PE information: real checksum: 0x8050c should be: 0x7c27e
Source: dbghelp.dll.2.dr	Static PE information: real checksum: 0x8050c should be: 0x7c27e
Source: ndae.7.dr	Static PE information: real checksum: 0x0 should be: 0xc864a
Source: svubpwldttjkvt.14.dr	Static PE information: real checksum: 0x0 should be: 0xc864a

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_005242D1 push ecx; ret	3_2_005242E4
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BEC355 push ecx; ret	3_2_00BEC368
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_005242D1 push ecx; ret	5_2_005242E4
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00C10361 push ecx; ret	5_2_00C10374

Source: ndae.7.dr	Static PE information: section name: .text entropy: 6.816445298936949
Source: svubpwldttjkvt.14.dr	Static PE information: section name: .text entropy: 6.816445298936949

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\cximagecrt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\cximagecrt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\cv099.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\dbghelp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\dbghelp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\cxcore099.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\cxcore099.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ndae	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\highgui099.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\highgui099.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\CrashRpt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	File created: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\cv099.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Ormolu\CrashRpt.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ndae			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NDAE
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\SVUBPWLDTTJKVT

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	API/Special instruction interceptor: Address: 6D0B7C44
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	API/Special instruction interceptor: Address: 6D0B7C44
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	API/Special instruction interceptor: Address: 6D0B7945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6D0B3B54

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2E10000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7859			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1927			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ndae			Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe

API coverage: 0.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6220	Thread sleep count: 7859 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6220	Thread sleep count: 1927 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -45131s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -30813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -45600s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -53417s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -46962s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -38586s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -59000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -32442s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -40961s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -58805s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -47931s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -44954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -58015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -52446s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57876s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57754s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -30007s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57617s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -38452s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -46862s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -39373s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -31194s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -57078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -42652s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56968s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -58977s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -48539s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -45019s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -57848s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -56093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -54280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -55560s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -36611s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -51119s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -38217s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -30921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -39707s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -32320s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -54890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -54781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -52051s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -54672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -37406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -54562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 368	Thread sleep time: -57971s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1584	Thread sleep time: -54453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError,		3_2_004164A0
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_004164A0 lstrlenW,FindFirstFileW,GetFullPathNameW,SetLastError,		5_2_004164A0

Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe

Code function: 5_2_00C0D5E0 GetSystemInfo,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,QueryPerformanceFrequency,

5_2_00C0D5E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45131	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45600	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53417	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46962	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38586	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32442	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40961	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58805	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47931	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52446	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57876	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57754	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30007	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57617	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46862	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39373	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31194	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42652	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58977	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48539	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45019	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57848	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36611	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51119	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38217	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39707	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32320	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52051	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57971	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 0000000E.00000002.2704587675.0000000005097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: MSBuild.exe, 0000000B.00000002.4602256407.0000000000C0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_00523722 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

3_2_00523722

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

3_2_0052309D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_00523077 GetProcessHeap,HeapFree,

3_2_00523077

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe "C:\Users\user\AppData\Local\Ormolu\ManyCam.exe"

Jump to behavior

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00523722 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_00523722
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Code function: 3_2_00BEBBB6 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_00BEBBB6
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Code function: 5_2_00523722 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	5_2_00523722

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	NtQuerySystemInformation: Direct from: 0x6D513079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	NtProtectVirtualMemory: Direct from: 0x6D042DF7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	NtSetInformationThread: Direct from: 0x6D51245D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	NtProtectVirtualMemory: Direct from: 0x6C91E5B8	Jump to behavior
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B6B1000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 8AD008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B6B1000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: DA6008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\local\ormolu\manycam.exe"
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\demoarchivebcz\manycam.exe"
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\demoarchivebcz\manycam.exe"
Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\local\ormolu\manycam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\demoarchivebcz\manycam.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	Process created: C:\Windows\System32\pcaui.exe "c:\windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "manycam" -v "manycam llc" -s "to work properly, this app must be reinstalled after you upgrade windows." -n 4 -f 0 -k 0 -e "c:\users\user\appdata\roaming\demoarchivebcz\manycam.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_00524748 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_00524748

Source: C:\Users\user\AppData\Local\Ormolu\ManyCam.exe

Code function: 3_2_004170D0 memset,GetVersionExW,

3_2_004170D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 7.2.cmd.exe.56800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.56b00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.56800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.MSBuild.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.56b00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2704945415.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2705147083.0000000000E22000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2447289622.0000000005680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ndae, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt, type: DROPPED

Yara detected Credential Stealer

Source: Yara match	File source: 7.2.cmd.exe.56800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.56b00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.56800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.MSBuild.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.56b00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2704945415.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2705147083.0000000000E22000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2447289622.0000000005680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ndae, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt, type: DROPPED

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 7.2.cmd.exe.56800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.56b00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.cmd.exe.56800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.MSBuild.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.56b00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2704945415.00000000056B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2705147083.0000000000E22000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2447289622.0000000005680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ndae, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svubpwldttjkvt, type: DROPPED

Windows Analysis Report
iieCxV2b1n.msi

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

ID:	1536943
Product:	CloudBasic
Start time:	12:08:16
Start date:	18.10.2024
Sample:	iieCxV2b1n.msi
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d87cc5fb2d4047d442446cc6d2d01cf9
SHA1:	8d2c76bb8248b1c8171c4cc198255d5613afe6fe
SHA256:	afbdaa974cdc9624fe94b5c0ca6ce01695570790a68cc9c86ea0619973f13d07
Filetype:	Microsoft Windows Installer (60509/1) 88.31%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\6c18ea.rbs	data	356DDEAE350474C245DE4F3B2EBF33C8	DD8F8BA9806BC3D98BEE86735A6BF800F72CAF16	BD726D6F935F2E67A786997A6E0AC35CFB68EEE4EEF68E4C94100AEEA469823B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log	ASCII text, with CRLF line terminators	812F0A8C671812AA613FC139B69E8614	B4177437C50B25B06FB885362DA36FD171A1C5A9	6D3DF2C3EA20D3A411078200AFA62DAC6AABA4210C83A2186E80195977BF0F89
C:\Users\user\AppData\Local\Ormolu\CrashRpt.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B2D1F5E4A1F0E8D85F0A8AEB7B8148C7	871078213FCC0CE143F518BD69CAA3156B385415	C28E0AEC124902E948C554436C0EBBEBBA9FC91C906CE2CD887FADA0C64E3386
C:\Users\user\AppData\Local\Ormolu\ManyCam.exe	PE32 executable (GUI) Intel 80386, for MS Windows	BA699791249C311883BAA8CE3432703B	F8734601F9397CB5EBB8872AF03F5B0639C2EAC6	7C4EB51A737A81C163F95B50EC54518B82FCF91389D0560E855F3E26CEC07282
C:\Users\user\AppData\Local\Ormolu\cv099.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2A8B33FEE2F84490D52A3A7C75254971	16CE2B1632A17949B92CE32A6211296FEE431DCA	FAFF6A0745E1720413A028F77583FFF013C3F4682756DC717A0549F1BE3FEFC2
C:\Users\user\AppData\Local\Ormolu\cxcore099.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	286284D4AE1C67D0D5666B1417DCD575	8B8A32577051823B003C78C86054874491E9ECFA	37D9A8057D58B043AD037E9905797C215CD0832D48A29731C1687B23447CE298
C:\Users\user\AppData\Local\Ormolu\cximagecrt.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C36F6E088C6457A43ADB7EDCD17803F3	B25B9FB4C10B8421C8762C7E7B3747113D5702DE	8E1243454A29998CC7DC89CAECFADC0D29E00E5776A8B5777633238B8CD66F72
C:\Users\user\AppData\Local\Ormolu\dbghelp.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	AA1594596FA19609555E317D9B64BE6A	924B08D85B537BE52142965C3AD33C01B457EA83	5139413EA54DEE9EC4F13B193D88CCAE9ADB8F0D8C1E2BA1AEE460D8A0D5BB79
C:\Users\user\AppData\Local\Ormolu\gxfiogr	data	B590C33DD2A4C8DDEDDA46028181A405	B0949A3396D84B8E4DCA5D5026EB3B6C0679F7E3	862AADCB096647394A5F6F5E646BF57B52567180505B6026E59539F6DED1EAA8
C:\Users\user\AppData\Local\Ormolu\highgui099.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A354C42FCB37A50ECAD8DDE250F6119E	0EB4AD5E90D28A4A8553D82CEC53072279AF1961	89DB6973F4EC5859792BCD8A50CD10DB6B847613F2CEA5ADEF740EEC141673B2
C:\Users\user\AppData\Local\Ormolu\rsjddfw	data	2139118B4760969B3A7DF8D1ABF9C26F	A076EE81FAC8DF2508E72C918FF2AD45D8BF8281	F2158D2632256E1E8D6CD855937FF9B3D8AC738D993FB0BE976880A8692D76EB
C:\Users\user\AppData\Local\Temp\804a2825	data	3F3CF680F3C51868F42A28688CDFD32A	0BC9910032D4E5CD201A80D40D036BAB04EAAF7F	8E307CBBB55185635BFB2770B072C00D33E8C273C62102C048ADF98124FB0DDA
C:\Users\user\AppData\Local\Temp\8f084743	data	3CBC6AE10EE247736594D687E24C4C60	2E77369C4CC98763899F6B6E917903E5C41B41FB	1A1B690504044927405943F8096A180C44CECBFCE37345A11369A46500F562FC
C:\Users\user\AppData\Local\Temp\exuquepx	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Oct 18 09:09:10 2024, mtime=Fri Oct 18 09:09:10 2024, atime=Wed Oct 9 15:39:50 2024, length=1756232, window=hide	21EE9A4ACAAC1C7A164EB4D13A9E7FF2	3E5E2D4BC1E1B2376A0ABA718FBEBB89D88928B6	E30CE5E908C31D43A0F33A37D0D0128D6905638E033AA96F02D97A96F1E5B81A
C:\Users\user\AppData\Local\Temp\ndae	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	4BBDA200E71F052B7AFC6C24CA47054B	B18C1059FF61B0C469C2805EFBD514A05A95B602	B081A923A9E80FF40F51F3D2C2F231863E3A2E1B13E744CA8F6ACF13987C401A
C:\Users\user\AppData\Local\Temp\svubpwldttjkvt	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	4BBDA200E71F052B7AFC6C24CA47054B	B18C1059FF61B0C469C2805EFBD514A05A95B602	B081A923A9E80FF40F51F3D2C2F231863E3A2E1B13E744CA8F6ACF13987C401A
C:\Users\user\AppData\Roaming\demoArchivebcz\CrashRpt.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B2D1F5E4A1F0E8D85F0A8AEB7B8148C7	871078213FCC0CE143F518BD69CAA3156B385415	C28E0AEC124902E948C554436C0EBBEBBA9FC91C906CE2CD887FADA0C64E3386
C:\Users\user\AppData\Roaming\demoArchivebcz\ManyCam.exe	PE32 executable (GUI) Intel 80386, for MS Windows	BA699791249C311883BAA8CE3432703B	F8734601F9397CB5EBB8872AF03F5B0639C2EAC6	7C4EB51A737A81C163F95B50EC54518B82FCF91389D0560E855F3E26CEC07282
C:\Users\user\AppData\Roaming\demoArchivebcz\cv099.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2A8B33FEE2F84490D52A3A7C75254971	16CE2B1632A17949B92CE32A6211296FEE431DCA	FAFF6A0745E1720413A028F77583FFF013C3F4682756DC717A0549F1BE3FEFC2
C:\Users\user\AppData\Roaming\demoArchivebcz\cxcore099.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	286284D4AE1C67D0D5666B1417DCD575	8B8A32577051823B003C78C86054874491E9ECFA	37D9A8057D58B043AD037E9905797C215CD0832D48A29731C1687B23447CE298
C:\Users\user\AppData\Roaming\demoArchivebcz\cximagecrt.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C36F6E088C6457A43ADB7EDCD17803F3	B25B9FB4C10B8421C8762C7E7B3747113D5702DE	8E1243454A29998CC7DC89CAECFADC0D29E00E5776A8B5777633238B8CD66F72
C:\Users\user\AppData\Roaming\demoArchivebcz\dbghelp.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	AA1594596FA19609555E317D9B64BE6A	924B08D85B537BE52142965C3AD33C01B457EA83	5139413EA54DEE9EC4F13B193D88CCAE9ADB8F0D8C1E2BA1AEE460D8A0D5BB79
C:\Users\user\AppData\Roaming\demoArchivebcz\gxfiogr	data	B590C33DD2A4C8DDEDDA46028181A405	B0949A3396D84B8E4DCA5D5026EB3B6C0679F7E3	862AADCB096647394A5F6F5E646BF57B52567180505B6026E59539F6DED1EAA8
C:\Users\user\AppData\Roaming\demoArchivebcz\highgui099.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A354C42FCB37A50ECAD8DDE250F6119E	0EB4AD5E90D28A4A8553D82CEC53072279AF1961	89DB6973F4EC5859792BCD8A50CD10DB6B847613F2CEA5ADEF740EEC141673B2
C:\Users\user\AppData\Roaming\demoArchivebcz\rsjddfw	data	2139118B4760969B3A7DF8D1ABF9C26F	A076EE81FAC8DF2508E72C918FF2AD45D8BF8281	F2158D2632256E1E8D6CD855937FF9B3D8AC738D993FB0BE976880A8692D76EB
C:\Windows\Installer\6c18e9.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Semolina, Author: Kwela Eirenicon, Keywords: Installer, Comments: This installer database contains the logic and data required to install Semolina., Template: Intel;1033, Revision Number: {E399BBE4-4063-457E-BB84-F6CBF9E31491}, Create Time/Date: Wed Oct 9 11:42:28 2024, Last Saved Time/Date: Wed Oct 9 11:42:28 2024, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2	D87CC5FB2D4047D442446CC6D2D01CF9	8D2C76BB8248B1C8171C4CC198255D5613AFE6FE	AFBDAA974CDC9624FE94B5C0CA6CE01695570790A68CC9C86EA0619973F13D07
C:\Windows\Installer\6c18eb.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Semolina, Author: Kwela Eirenicon, Keywords: Installer, Comments: This installer database contains the logic and data required to install Semolina., Template: Intel;1033, Revision Number: {E399BBE4-4063-457E-BB84-F6CBF9E31491}, Create Time/Date: Wed Oct 9 11:42:28 2024, Last Saved Time/Date: Wed Oct 9 11:42:28 2024, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2	D87CC5FB2D4047D442446CC6D2D01CF9	8D2C76BB8248B1C8171C4CC198255D5613AFE6FE	AFBDAA974CDC9624FE94B5C0CA6CE01695570790A68CC9C86EA0619973F13D07
C:\Windows\Installer\MSI1A22.tmp	data	699E64B80B940362DD380AF3C489BCC4	6613B9B02EA55D7C6787A49F24A80B778CCB0F26	BB1849F72B52B0D7F2971CD29BC70250553AF9FD274139CC369EFDDDE51C1AFA
C:\Windows\Installer\SourceHash{39F520E4-6237-4FBB-8F2E-71C60962EC87}	Composite Document File V2 Document, Cannot read section info	F32502564B29EA6FEBAB5E6F6D29A9C3	0558C8ED9D2B2758A6A01555E592A9C5AE465843	D6F11DF107DE65DF2A2BE15F08FC86F34DA5DC2E9645C856FFC1D4E835B196B9
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	D50777159FE335774A88BAC4AFA5AD9E	879E1DFEA66236589932D32CA08C538273A2C950	EC3FDABA326668208C4E75E74551D6B61D13A8203CDC34041803342658DB55F5
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	8E65CE809FB39628A3D5C604209B56B2	726A271778B35E04A867794106A2C0BF5EE7D2E1	3AF3A291FEC50365E6237D0A5B57341E053576AB8B6CA2038C41B347DB0DC346
C:\Windows\Temp\~DF0990806D57BC3AEC.TMP	Composite Document File V2 Document, Cannot read section info	D50777159FE335774A88BAC4AFA5AD9E	879E1DFEA66236589932D32CA08C538273A2C950	EC3FDABA326668208C4E75E74551D6B61D13A8203CDC34041803342658DB55F5
C:\Windows\Temp\~DF14890820A40800E0.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF3044E6FF2211BFB4.TMP	data	B140642D48C93D7D222A266795DE597A	4CCF08F0CACC897C27F307EFE966A2E3FEBA8FF3	083BBED212BB03F208D16622E29EEA800553E58ABFFBA6275BEC38A5709B929C
C:\Windows\Temp\~DF46874C96EA2F3823.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF49307B85DBB1A515.TMP	Composite Document File V2 Document, Cannot read section info	21D137DDA7F2B59D3AB01E0F3E586EB8	5277AD995E85AEDD5CBCC58CF70C04DB1D0189C0	1BB634D0E8C19FDACA229F52A6AE503FE5D28EE00C423108CC625140123417D1
C:\Windows\Temp\~DF551A278F797377D0.TMP	Composite Document File V2 Document, Cannot read section info	21D137DDA7F2B59D3AB01E0F3E586EB8	5277AD995E85AEDD5CBCC58CF70C04DB1D0189C0	1BB634D0E8C19FDACA229F52A6AE503FE5D28EE00C423108CC625140123417D1
C:\Windows\Temp\~DF8B2F9407D39D8958.TMP	Composite Document File V2 Document, Cannot read section info	21D137DDA7F2B59D3AB01E0F3E586EB8	5277AD995E85AEDD5CBCC58CF70C04DB1D0189C0	1BB634D0E8C19FDACA229F52A6AE503FE5D28EE00C423108CC625140123417D1
C:\Windows\Temp\~DF98277DCBF98DF427.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF9D929FC9F6DAB395.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFBCF32403695355B2.TMP	Composite Document File V2 Document, Cannot read section info	D50777159FE335774A88BAC4AFA5AD9E	879E1DFEA66236589932D32CA08C538273A2C950	EC3FDABA326668208C4E75E74551D6B61D13A8203CDC34041803342658DB55F5
C:\Windows\Temp\~DFE130414A9DA75E26.TMP	data	A5A5C5C0A02B9AB25CFE06B67814FED9	3E4160A0C95BD5E289D4FD20A4B9E20ED755AAFE	54E5EB7FA254059ACDE6A0BB1DE20A22B1E327FBEF0B53EDC7D9A158F2F9531B
C:\Windows\Temp\~DFF585C7427396405F.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560

Windows Analysis Report iieCxV2b1n.msi

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
iieCxV2b1n.msi

Malware Threat Intel
Provided by