Windows Analysis Report
1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe

Overview

General Information

Sample name: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe
Analysis ID: 1518760
MD5: 2afbe1369dd12cc3264a4b4c332396b0
SHA1: 06b730230788c3f066f634a0c2a499e961180e26
SHA256: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38bc6fc8dc06c595a08ad
Tags: Arechclient2exeuser-abuse_ch
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\kwvvjj Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\pvrrwvlxy Avira: detection malicious, Label: HEUR/AGEN.1307453
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\kwvvjj Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\pvrrwvlxy Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D6C550 CryptUnprotectData, 10_2_06D6C550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D6C548 CryptUnprotectData, 10_2_06D6C548
Uses 32bit PE files
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1494906771.00000000055C0000.00000004.00000800.00020000.00000000.sdmp, 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1492795481.00000000050AB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1790316524.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1790621154.0000000004F90000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000007.00000002.1841195859.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000007.00000002.1840643368.00000000048B9000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000B.00000002.1898876592.0000000004CC7000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000B.00000002.1899243196.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000016.00000002.3846342146.00000000047B0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000016.00000002.3845330061.00000000041D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1494906771.00000000055C0000.00000004.00000800.00020000.00000000.sdmp, 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1492795481.00000000050AB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1790316524.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1790621154.0000000004F90000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000007.00000002.1841195859.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000007.00000002.1840643368.00000000048B9000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000B.00000002.1898876592.0000000004CC7000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000B.00000002.1899243196.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000016.00000002.3846342146.00000000047B0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000016.00000002.3845330061.00000000041D5000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 06D5C439h 10_2_06D5C318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 06D5C439h 10_2_06D5C308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov eax, dword ptr [ebp-28h] 10_2_070481C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0731540Bh 10_2_07314E31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 07941009h 10_2_07940358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov eax, dword ptr [ebp-68h] 10_2_07940358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0794165Eh 10_2_07940358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0794C584h 10_2_0794C0EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 07949741h 10_2_07949729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0799715Ch 10_2_07996180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0799715Ch 10_2_07996180

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:49716 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49717 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49718 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 213.109.202.97:15647 -> 192.168.2.7:49716
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58356 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58358 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58360 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58359 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58354 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58357 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58361 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58362 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58363 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58355 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58365 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58366 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58353 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58364 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58371 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58367 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58372 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58369 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58377 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58373 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58374 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58370 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58379 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58368 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58375 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58381 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58376 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58380 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58382 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58384 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58378 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58385 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58388 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58387 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58386 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58391 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58383 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58393 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58394 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58390 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 213.109.202.97:15647 -> 192.168.2.7:58388
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 213.109.202.97:15647 -> 192.168.2.7:58383
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 213.109.202.97:15647 -> 192.168.2.7:58385
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 213.109.202.97:15647 -> 192.168.2.7:58394
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 213.109.202.97:15647 -> 192.168.2.7:58391
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58389 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58392 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58395 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58396 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58397 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58398 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58399 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58400 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58401 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58402 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58403 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58404 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58405 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58407 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58406 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58408 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 213.109.202.97:15647 -> 192.168.2.7:58407
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58410 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 213.109.202.97:15647 -> 192.168.2.7:58410
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58409 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58411 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58412 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58413 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58414 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58415 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58417 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58418 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58416 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 213.109.202.97:15647 -> 192.168.2.7:58417
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58419 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 213.109.202.97:15647 -> 192.168.2.7:58418
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58420 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58422 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58423 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58424 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58421 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58425 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58426 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58427 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58428 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58429 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58430 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58432 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58431 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58434 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 213.109.202.97:15647 -> 192.168.2.7:58432
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58433 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:58436 -> 213.109.202.97:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58435 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 213.109.202.97:15647 -> 192.168.2.7:58436
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58437 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58438 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:58439 -> 213.109.202.97:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 213.109.202.97:15647 -> 192.168.2.7:58434
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 213.109.202.97 ports 9000,1,4,5,6,7,15647
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58353 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58354 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58355 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58356 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58357 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58358 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58359 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58360 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58361 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58362 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58363 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58364 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58365 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58366 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58367 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58368 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58369 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58370 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58371 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58372 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58373 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58374 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58375 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58376 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58377 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58378 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58386 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58389 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58395 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58396 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58397 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58398 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58399 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58400 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58401 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58402 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58403 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58404 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58405 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58406 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58408 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58409 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58411 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58412 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58413 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58414 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58415 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58416 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58419 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58420 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58421 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58422 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58423 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58424 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58425 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58426 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58427 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58428 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58429 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58430 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58431 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58433 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58435 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58437 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58438 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58439 -> 9000
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49716 -> 213.109.202.97:15647
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.7:58350 -> 1.1.1.1:53
Source: global traffic TCP traffic: 192.168.2.7:59813 -> 162.159.36.2:53
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UA-LINK-ASUA UA-LINK-ASUA
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: unknown TCP traffic detected without corresponding DNS query: 213.109.202.97
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 213.109.202.97:9000Connection: Keep-Alive
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://213.109.202.97:
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://213.109.202.97:9000
Source: content.js.10.dr String found in binary or memory: http://213.109.202.97:9000/
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002CC8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://213.109.202.97:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://crl.globalsign.com/gs/gscodesignsha2g2.crl0
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0X
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://crl.globalsign.net/root-r3.crl0G
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g20
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: MSBuild.exe, 0000000A.00000002.3938537264.00000000079D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://purl.oen
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g2.crt08
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1496935577.0000000005A6D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1790448145.0000000004D0D000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000007.00000002.1840861986.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000B.00000002.1899025755.0000000005025000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000016.00000002.3845785608.0000000004538000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3925960520.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000003054000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3925960520.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000003054000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3925960520.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000003054000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3925960520.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000003054000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: https://donutsoft.org
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: https://donutsoft.org/
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: https://donutsoft.org/nusrHtwtb_file.tmpdonutsoftRy%02dp.%02dv.%02dm.%03dr.%s.%s.iddo%s%d%s%s%d%s%sr
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: https://donutsoft.orghttps://t.me/donutsoftSubjectHello
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: https://donutsoft.orghttps://t.me/donutsoftdonutsoftorg
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3925960520.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000003054000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000003054000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3925960520.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000003054000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000019.00000002.3848723015.0000000002881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/Ld9GfkdJ
Source: MSBuild.exe, 0000000D.00000002.1845033277.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.1902328832.0000000003171000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000019.00000002.3848723015.0000000002881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/Ld9GfkdJPOr6
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: https://pay.cloudtips.ru/p/96db8bb7https://donationalerts.com/r/donutsoft
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: https://paypal.me/donutsofthttps://patreon.com/donutsofthttps://ko-fi.com/donutsofthttps://buymeacof
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: https://qiwi.com/...
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: https://t.me/donutsoft
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3925960520.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000003054000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: https://www.globalsign.com/repository/03
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: https://www.globalsign.com/repository/06
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3925960520.0000000003D78000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000003054000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3913689241.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe String found in binary or memory: https://yoomoney.ru/to/410015205849375https://qiwi.com/n/DONUTSOFT
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.more.com.57300c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 22.2.more.com.51c00c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 11.2.more.com.5c100c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 11.2.more.com.5c100c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 2.2.more.com.5fd00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.MSBuild.exe.9c0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 7.2.more.com.57300c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 2.2.more.com.5fd00c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 22.2.more.com.51c00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\yuyhf, type: DROPPED Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\kwvvjj, type: DROPPED Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\xwv, type: DROPPED Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\pvrrwvlxy, type: DROPPED Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Code function: 0_2_00B64F95 NtQuerySystemInformation, 0_2_00B64F95
Creates files inside the system directory
Source: C:\Windows\SysWOW64\more.com File created: C:\Windows\Tasks\AsusFCNotification.job Jump to behavior
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E6C880 10_2_00E6C880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E61070 10_2_00E61070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E6B01F 10_2_00E6B01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E6D110 10_2_00E6D110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E615E0 10_2_00E615E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E6BD78 10_2_00E6BD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E6C843 10_2_00E6C843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E6A908 10_2_00E6A908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E6D0F3 10_2_00E6D0F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E6B09E 10_2_00E6B09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E61060 10_2_00E61060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E615C3 10_2_00E615C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E6BD45 10_2_00E6BD45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0570F9E8 10_2_0570F9E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0570E610 10_2_0570E610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_057011B8 10_2_057011B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_05704CC0 10_2_05704CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD7678 10_2_06BD7678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD6668 10_2_06BD6668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD0FA0 10_2_06BD0FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD7BA0 10_2_06BD7BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD9BEF 10_2_06BD9BEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BDD7E0 10_2_06BDD7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD8F38 10_2_06BD8F38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BDDCEE 10_2_06BDDCEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BDEC20 10_2_06BDEC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD5C68 10_2_06BD5C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD4DB0 10_2_06BD4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD85F8 10_2_06BD85F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD4948 10_2_06BD4948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD1E3C 10_2_06BD1E3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD1E60 10_2_06BD1E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD6658 10_2_06BD6658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD0F90 10_2_06BD0F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD7B86 10_2_06BD7B86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD8F24 10_2_06BD8F24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD1315 10_2_06BD1315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD3030 10_2_06BD3030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD3020 10_2_06BD3020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD5C59 10_2_06BD5C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD0040 10_2_06BD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD85E8 10_2_06BD85E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD4938 10_2_06BD4938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D51EB1 10_2_06D51EB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D53FF8 10_2_06D53FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D513EF 10_2_06D513EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D57790 10_2_06D57790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D5B380 10_2_06D5B380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D55318 10_2_06D55318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D56098 10_2_06D56098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D5C568 10_2_06D5C568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D536E8 10_2_06D536E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D50BD0 10_2_06D50BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D56089 10_2_06D56089
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D5846A 10_2_06D5846A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D53438 10_2_06D53438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D53427 10_2_06D53427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D56826 10_2_06D56826
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D56828 10_2_06D56828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D5C558 10_2_06D5C558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D686D0 10_2_06D686D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D6E618 10_2_06D6E618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D658A0 10_2_06D658A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D6C84B 10_2_06D6C84B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D6D071 10_2_06D6D071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D6DC08 10_2_06D6DC08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D6E608 10_2_06D6E608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D60FB1 10_2_06D60FB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D6588B 10_2_06D6588B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D60C88 10_2_06D60C88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D6B05B 10_2_06D6B05B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D60040 10_2_06D60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D6B068 10_2_06D6B068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D6A550 10_2_06D6A550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D6A535 10_2_06D6A535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07046830 10_2_07046830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_070481C0 10_2_070481C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07040006 10_2_07040006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07041611 10_2_07041611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07041620 10_2_07041620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07043720 10_2_07043720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07043730 10_2_07043730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07040040 10_2_07040040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07049548 10_2_07049548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07049558 10_2_07049558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_070481B0 10_2_070481B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_070452D7 10_2_070452D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_070452E8 10_2_070452E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07314334 10_2_07314334
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07310040 10_2_07310040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07310007 10_2_07310007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07319EF8 10_2_07319EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07319EE9 10_2_07319EE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07319EC0 10_2_07319EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07312CB8 10_2_07312CB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07312CC8 10_2_07312CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0794C5C0 10_2_0794C5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07940358 10_2_07940358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0794B748 10_2_0794B748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0794D160 10_2_0794D160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07948968 10_2_07948968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07949A98 10_2_07949A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_079416F0 10_2_079416F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_079432E8 10_2_079432E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07942040 10_2_07942040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07944380 10_2_07944380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0794EB10 10_2_0794EB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0794EB00 10_2_0794EB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0794B73A 10_2_0794B73A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07940348 10_2_07940348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0794A888 10_2_0794A888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0794DAD8 10_2_0794DAD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07942030 10_2_07942030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07942650 10_2_07942650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0794444D 10_2_0794444D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07999EC8 10_2_07999EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0799CD48 10_2_0799CD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07991368 10_2_07991368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0799B2BB 10_2_0799B2BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07996180 10_2_07996180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_079988FB 10_2_079988FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_079977D8 10_2_079977D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_079977E8 10_2_079977E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07999EB9 10_2_07999EB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07990598 10_2_07990598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0799953F 10_2_0799953F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0799EB00 10_2_0799EB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0799EAF1 10_2_0799EAF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07997188 10_2_07997188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0799C128 10_2_0799C128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07996180 10_2_07996180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0799717A 10_2_0799717A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C50A80 10_2_07C50A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C5A680 10_2_07C5A680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C55A68 10_2_07C55A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C535D8 10_2_07C535D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C57840 10_2_07C57840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C59708 10_2_07C59708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C55F38 10_2_07C55F38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C596F4 10_2_07C596F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C535CA 10_2_07C535CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C574C8 10_2_07C574C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C50040 10_2_07C50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C56440 10_2_07C56440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C57822 10_2_07C57822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C56430 10_2_07C56430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07945E73 10_2_07945E73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C517C0 10_2_07C517C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_07C517B2 10_2_07C517B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 13_2_0101B01F 13_2_0101B01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 13_2_01011070 13_2_01011070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 13_2_010115E0 13_2_010115E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 13_2_01011060 13_2_01011060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 13_2_0101B09E 13_2_0101B09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 13_2_010115C3 13_2_010115C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 13_2_0101A908 13_2_0101A908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 13_2_0101BD45 13_2_0101BD45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 13_2_0101BD78 13_2_0101BD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_015C1070 14_2_015C1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_015CB030 14_2_015CB030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_015C15E0 14_2_015C15E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_015C1060 14_2_015C1060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_015CB09E 14_2_015CB09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_015C15C3 14_2_015C15C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_015CA908 14_2_015CA908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_015CBD45 14_2_015CBD45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_015CBD78 14_2_015CBD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00C61070 25_2_00C61070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00C6B01F 25_2_00C6B01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00C615E0 25_2_00C615E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00C6B09E 25_2_00C6B09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00C61060 25_2_00C61060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00C615C3 25_2_00C615C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00C6A908 25_2_00C6A908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00C6BD45 25_2_00C6BD45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00C6BD78 25_2_00C6BD78
PE / OLE file has an invalid certificate
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000000.1450711793.0000000000E6A000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: - v.. v.XX (XX)(DEBUG)FileVersionProductNameLegalCopyrightCompanyNameBuild DateLegalTrademarksFileDescriptionInternalNameOriginalFilenameComments%d %d %d %d%d.%d.%d.%d%d.%d%d\VarFileInfo\Translation\StringFileInfo\%04x%04x\%s vs 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1492795481.00000000051CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1473697216.0000000000E78000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: - v.. v.XX (XX)(DEBUG)FileVersionProductNameLegalCopyrightCompanyNameBuild DateLegalTrademarksFileDescriptionInternalNameOriginalFilenameComments%d %d %d %d%d.%d.%d.%d%d.%d%d\VarFileInfo\Translation\StringFileInfo\%04x%04x\%s vs 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000000.1450787050.000000000168D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTrayButton.exeP vs 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1476206981.0000000003C7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <0B>0BF0B<0BY0B- v.. v.XX (XX)(DEBUG)FileVersionProductNameLegalCopyrightCompanyNameBuild DateLegalTrademarksFileDescriptionInternalNameOriginalFilenameComments%d %d %d %d%d.%d.%d.%d%d.%d%d\VarFileInfo\Translation\StringFileInfo\%04x%04x\%s vs 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1494906771.00000000056ED000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Binary or memory string: <0B>0BF0B<0BY0B- v.. v.XX (XX)(DEBUG)FileVersionProductNameLegalCopyrightCompanyNameBuild DateLegalTrademarksFileDescriptionInternalNameOriginalFilenameComments%d %d %d %d%d.%d.%d.%d%d.%d%d\VarFileInfo\Translation\StringFileInfo\%04x%04x\%s vs 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Binary or memory string: OriginalFilenameTrayButton.exeP vs 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe
Uses 32bit PE files
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Yara signature match
Source: 7.2.more.com.57300c8.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 22.2.more.com.51c00c8.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 11.2.more.com.5c100c8.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 11.2.more.com.5c100c8.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.more.com.5fd00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.MSBuild.exe.9c0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 7.2.more.com.57300c8.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.more.com.5fd00c8.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 22.2.more.com.51c00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\yuyhf, type: DROPPED Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\kwvvjj, type: DROPPED Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\xwv, type: DROPPED Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\pvrrwvlxy, type: DROPPED Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.more.com.5fd00c8.7.raw.unpack, -Module-.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.more.com.57300c8.7.raw.unpack, -Module-.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@24/77@0/1
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4348:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\3be3d8d5cb13427ea81a3e9e0b03f0d2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2700:120:WilError_03
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe File created: C:\Users\user~1\AppData\Local\Temp\527e37c9 Jump to behavior
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\more.com File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe File read: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe "C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe"
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe "C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe"
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Section loaded: idndl.dll Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: mstask.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: idndl.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: idndl.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: mstask.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: idndl.dll
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: shdocvw.dll
Source: C:\Windows\SysWOW64\more.com Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\more.com Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\more.com Section loaded: vssapi.dll
Source: C:\Windows\SysWOW64\more.com Section loaded: vsstrace.dll
Source: C:\Windows\SysWOW64\more.com Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\more.com Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\more.com Section loaded: mstask.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\more.com Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32 Jump to behavior
Source: runenwwtdnpx.2.dr LNK file: ..\..\..\..\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Static file information: File size 19169216 > 1048576
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x308400
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xa99200
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1494906771.00000000055C0000.00000004.00000800.00020000.00000000.sdmp, 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1492795481.00000000050AB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1790316524.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1790621154.0000000004F90000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000007.00000002.1841195859.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000007.00000002.1840643368.00000000048B9000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000B.00000002.1898876592.0000000004CC7000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000B.00000002.1899243196.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000016.00000002.3846342146.00000000047B0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000016.00000002.3845330061.00000000041D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1494906771.00000000055C0000.00000004.00000800.00020000.00000000.sdmp, 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1492795481.00000000050AB000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1790316524.00000000049A0000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1790621154.0000000004F90000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000007.00000002.1841195859.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000007.00000002.1840643368.00000000048B9000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000B.00000002.1898876592.0000000004CC7000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000B.00000002.1899243196.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000016.00000002.3846342146.00000000047B0000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000016.00000002.3845330061.00000000041D5000.00000004.00000020.00020000.00000000.sdmp
PE file contains sections with non-standard names
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_00E6EC5D push eax; iretd 10_2_00E6EC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D63E78 push es; ret 10_2_06D63E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D63E1D push es; ret 10_2_06D63E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D684C7 push es; retf 10_2_06D684D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06D66DA2 push esp; ret 10_2_06D66DA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_0731CC68 push eax; iretd 10_2_0731CC69
Source: kwvvjj.2.dr Static PE information: section name: .text entropy: 6.81643408206793
Source: xwv.7.dr Static PE information: section name: .text entropy: 6.81643408206793
Source: yuyhf.11.dr Static PE information: section name: .text entropy: 6.81643408206793
Drops PE files
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\kwvvjj Jump to dropped file
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\pvrrwvlxy Jump to dropped file
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\xwv Jump to dropped file
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\yuyhf Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\kwvvjj Jump to dropped file
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\xwv Jump to dropped file
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\yuyhf Jump to dropped file
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\pvrrwvlxy Jump to dropped file
Creates job files (autostart)
Source: C:\Windows\SysWOW64\more.com File created: C:\Windows\Tasks\AsusFCNotification.job Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\more.com Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\KWVVJJ
Source: C:\Windows\SysWOW64\more.com Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\XWV
Source: C:\Windows\SysWOW64\more.com Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YUYHF
Source: C:\Windows\SysWOW64\more.com Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PVRRWVLXY
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58353 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58354 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58355 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58356 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58357 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58358 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58359 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58360 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58361 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58362 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58363 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58364 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58365 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58366 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58367 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58368 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58369 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58370 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58371 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58372 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58373 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58374 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58375 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58376 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58377 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58378 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58386 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58389 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58395 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58396 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58397 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58398 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58399 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58400 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58401 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58402 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58403 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58404 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58405 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58406 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58408 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58409 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58411 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58412 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58413 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58414 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58415 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58416 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58419 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58420 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58421 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58422 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58423 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58424 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58425 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58426 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58427 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58428 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58429 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58430 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58431 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58433 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58435 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58437 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58438 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 58439 -> 9000
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe API/Special instruction interceptor: Address: 769C7C44
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe API/Special instruction interceptor: Address: 769C7945
Source: C:\Windows\SysWOW64\more.com API/Special instruction interceptor: Address: 769C3B54
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe API/Special instruction interceptor: Address: 769C7C44
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe API/Special instruction interceptor: Address: 769C7945
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2BB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 29B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1010000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2A50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2820000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 15C0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3170000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1740000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: BB0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2880000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: BB0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 5794 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 3674 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\more.com Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kwvvjj Jump to dropped file
Source: C:\Windows\SysWOW64\more.com Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pvrrwvlxy Jump to dropped file
Source: C:\Windows\SysWOW64\more.com Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xwv Jump to dropped file
Source: C:\Windows\SysWOW64\more.com Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yuyhf Jump to dropped file
Is looking for software installed on the system
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key enumerated: More than 140 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4216 Thread sleep time: -31359464925306218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4216 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4216 Thread sleep time: -59890s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -51739s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4216 Thread sleep time: -59781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -40806s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4216 Thread sleep time: -59671s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4216 Thread sleep time: -59561s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4216 Thread sleep time: -59450s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4216 Thread sleep time: -59343s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -43926s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -37805s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -41713s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -55199s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -58084s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -48477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -37343s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -36515s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -55200s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -50943s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -39854s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5984 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2880 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -39680s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -44791s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -40895s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -56297s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -57530s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -47774s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -30845s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -50821s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -52405s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -47400s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -58301s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -54094s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -45011s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -43787s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -33504s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4296 Thread sleep time: -56157s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 348 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4476 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5184 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 51739 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 40806 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59561 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59450 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 43926 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 37805 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 41713 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 55199 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58084 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 48477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 37343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 36515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 55200 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 50943 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 39854 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 39680 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 44791 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 40895 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57530 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 47774 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30845 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 50821 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 52405 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 47400 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58301 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 54094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 45011 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 43787 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 33504 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56157 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: ITERHPGen.exe, 00000009.00000002.1723498304.0000000001384000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe, 00000000.00000002.1475015007.0000000001B38000.00000004.00000020.00020000.00000000.sdmp, ITERHPGen.exe, 00000006.00000002.1648112326.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000A.00000002.3907884256.0000000000C9F000.00000004.00000020.00020000.00000000.sdmp, ITERHPGen.exe, 00000014.00000002.3661534615.0000000001498000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: MSBuild.exe, 0000000A.00000002.3913689241.0000000002F54000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: MSBuild.exe, 0000000A.00000002.3925960520.0000000003D43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 10_2_06BD29B8 LdrInitializeThunk, 10_2_06BD29B8
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Code function: 0_2_00B65665 mov eax, dword ptr fs:[00000030h] 0_2_00B65665
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe NtSetInformationThread: Direct from: 0xB66306 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe NtQuerySystemInformation: Direct from: 0x77757B2E
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe NtSetInformationThread: Direct from: 0x126306
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write
Source: C:\Windows\SysWOW64\more.com Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 70101000 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 8B1008 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 70101000 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 60B008 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 70101000 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F68008 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 70101000
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 436008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Binary or memory string: Minimize TrayButton(fail) (2023)Hide WhatsApp applicationShow WhatsApp applicationWhatsApp is opening..WhatsApp is closing..Please wait..TrayButton.cfgTrayButton XTrayButton YCritical system parameterTrayButton will remember thisStart TrayButton on loginMinimize WTB to tray on startupMinimize WhatsApp to tray on startupMinimize WhatsApp to tray when clicking tray iconOpen WhatsApp with a single clickOpen WhatsApp on new message or callShow missed WhatsApp events on tray iconSupport battery saving modeLanguageCheck Count MaxCheck CountWe have an old versionChecking network and updatesSensitivity factorProgram ID codeNOT_SET\.\Control Panel\International\GeoNation0123456789%dSOFTWARE\Microsoft\CryptographyMachineGuidC:\Program Files (x86)\TrayButtonForWhatsApp\TrayButton.exe--bootSoftware\Microsoft\Windows\CurrentVersion\RunTrayButtonForWhatsAppTrayButtonForWhatsAppShell_traywnd8.8.8.877.88.8.89.9.9.9208.67.222.2221.1.1.18.26.56.2676.76.19.19185.225.168.168176.103.130.13064.6.64.6216.87.84.21184.200.69.80*8.8.4.4
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe Queries volume information: C:\Users\user\AppData\Local\Temp\527e37c9 VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\more.com Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Queries volume information: C:\Users\user\AppData\Local\Temp\5d1ee590 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Queries volume information: C:\Users\user\AppData\Local\Temp\61739b62 VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ITEinboxI2CFlash\ITERHPGen.exe Queries volume information: C:\Users\user\AppData\Local\Temp\d5087297 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 7.2.more.com.57300c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.more.com.51c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.more.com.5c100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.more.com.5c100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.more.com.5fd00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.MSBuild.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.more.com.57300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.more.com.5fd00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.more.com.51c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1790965058.0000000005FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1841478757.0000000005730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3847190043.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1899584692.0000000005C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1841211750.00000000009C2000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: more.com PID: 6572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: more.com PID: 6284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: more.com PID: 5648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5188, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: more.com PID: 2664, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\yuyhf, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\kwvvjj, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\xwv, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\pvrrwvlxy, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 7.2.more.com.57300c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.more.com.51c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.more.com.5c100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.more.com.5c100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.more.com.5fd00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.MSBuild.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.more.com.57300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.more.com.5fd00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.more.com.51c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3933436343.00000000061B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1790965058.0000000005FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1841478757.0000000005730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3847190043.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1899584692.0000000005C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1841211750.00000000009C2000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: more.com PID: 6572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: more.com PID: 6284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: more.com PID: 5648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5188, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: more.com PID: 2664, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\yuyhf, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\kwvvjj, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\xwv, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\pvrrwvlxy, type: DROPPED

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 7.2.more.com.57300c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.more.com.51c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.more.com.5c100c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.more.com.5c100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.more.com.5fd00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.MSBuild.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.more.com.57300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.more.com.5fd00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.more.com.51c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1790965058.0000000005FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1841478757.0000000005730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3847190043.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1899584692.0000000005C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1841211750.00000000009C2000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: more.com PID: 6572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: more.com PID: 6284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: more.com PID: 5648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 5188, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: more.com PID: 2664, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\yuyhf, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\kwvvjj, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\xwv, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\pvrrwvlxy, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1518760 Sample: 1cad1f43e4768f56d68bb2b2737... Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 65 Suricata IDS alerts for network traffic 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for dropped file 2->69 71 5 other signatures 2->71 7 1cad1f43e4768f56d68bb2b2737b7f5eebe78e8737f38.exe 2 2->7         started        10 ITERHPGen.exe 2 2->10         started        12 ITERHPGen.exe 2->12         started        14 ITERHPGen.exe 2 2->14         started        process3 signatures4 73 Maps a DLL or memory area into another process 7->73 75 Switches to a custom stack to bypass stack traces 7->75 77 Found direct / indirect Syscall (likely to bypass EDR) 7->77 16 more.com 6 7->16         started        20 more.com 2 10->20         started        22 more.com 12->22         started        24 more.com 2 14->24         started        process5 file6 45 C:\Users\user\AppData\Local\Temp\kwvvjj, PE32 16->45 dropped 57 Writes to foreign memory regions 16->57 59 Found hidden mapped module (file has been removed from disk) 16->59 61 Maps a DLL or memory area into another process 16->61 63 Switches to a custom stack to bypass stack traces 16->63 26 MSBuild.exe 15 40 16->26         started        31 conhost.exe 16->31         started        47 C:\Users\user\AppData\Local\Temp\xwv, PE32 20->47 dropped 33 MSBuild.exe 1 20->33         started        35 conhost.exe 20->35         started        49 C:\Users\user\AppData\Local\Temp\pvrrwvlxy, PE32 22->49 dropped 37 conhost.exe 22->37         started        39 MSBuild.exe 22->39         started        51 C:\Users\user\AppData\Local\Temp\yuyhf, PE32 24->51 dropped 41 conhost.exe 24->41         started        43 MSBuild.exe 24->43         started        signatures7 process8 dnsIp9 55 213.109.202.97, 15647, 49716, 49717 UA-LINK-ASUA unknown 26->55 53 C:\Users\user\AppData\...\Secure Preferences, JSON 26->53 dropped 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->79 81 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->81 83 Tries to harvest and steal browser information (history, passwords, etc) 26->83 85 Tries to steal Crypto Currency Wallets 26->85 file10 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
213.109.202.97
 unknown unknown
34359 UA-LINK-ASUA true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://213.109.202.97:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE true
  • Avira URL Cloud: safe
 unknown