Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1560988
MD5: bfc5ea31b4aeefec1508e8f5b458e574
SHA1: 976fe53a467068719f70a856dca3bb7b65a9d6dc
SHA256: 44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b
Tags: exeuser-Bitsight
Infos:

Detection

RedLine, SectopRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
Yara detected SectopRAT
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\umfcpwvoouwjq Avira: detection malicious, Label: TR/Agent.edjbt
Source: C:\Users\user\AppData\Local\Temp\lcqqpedjyaav Avira: detection malicious, Label: TR/Agent.edjbt
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\umfcpwvoouwjq Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\lcqqpedjyaav Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066EA368 CryptUnprotectData, 14_2_066EA368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066EAB7B CryptUnprotectData, 14_2_066EAB7B
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: pbBuf != NULLlnLength != 0SZipFile::AppendCentralDirFileHeaderpOut != NULLY:\projects\_main\SZipFile.cppSZipFile::AllocateNewDataBlockastrInFilePaths[i]astrInFilePaths.size() != 0_S_FALSE(m_zf.bZipFileOpen)strOutFilePathSZipFile::CompressFilesAbspbCopyTo != NULLpdb->pdbNext != NULLrcdc.pdbFirst != NULL && rcdc.pdbLast != NULLSZipFile::DeleteDataBlocksdwLength <= 4readastrInFileNames[i]astrInFileNames.size() != 0SZipFile::CompressFilesRelpfileIn != NULLrb_S_FALSE(m_zf.bSubFileOpen)_S_TRUE(m_zf.bZipFileOpen)strGlobalCommentSZipFile::ZipCloseSZipFile::SZipFilehFind != INVALID_HANDLE_VALUE_S_FALSE(strFilePath.IsEmpty())SZipFile::GetFileTimem_zf.sfi.dwLocalFileHeaderPos != _S_NUM_MAXDWORDlpszFilePathlpszCommentSZipFile::ZipCreateSubFiledwOldPos != _S_NUM_MAXDWORD_S_TRUE(m_zf.bSubFileOpen)SZipFile::ZipCloseSubFiledwPosCentralDir != _S_NUM_MAXDWORDSZipFile::ZipWriteSubFilem_zf.dwStartPos != _S_NUM_MAXDWORDwbSZipFile::ZipOpen1.3.1m_zf.sfi.pbCentralDirFileHeader != NULLSDocument8 source: Mp3tag.exe
Source: Binary string: rcdc.pdbFirst != NULL && rcdc.pdbLast != NULL source: Mp3tag.exe
Source: Binary string: Y:\build\binaries\mp3tag\Mp3tag64.pdb source: Mp3tag.exe
Source: Binary string: ntdll.pdb source: Mp3tag.exe, 00000007.00000002.1384357397.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000007.00000002.1384655119.00000000032C0000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1515559005.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1516217493.0000000003374000.00000004.00000001.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1514986366.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1822098294.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821488340.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1822379976.00000000033E9000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 0000000B.00000002.1779165142.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1778939346.0000000004685000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055918179.0000000005310000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055438521.0000000004E35000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: Mp3tag.exe, 00000007.00000002.1384357397.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000007.00000002.1384655119.00000000032C0000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1515559005.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1516217493.0000000003374000.00000004.00000001.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1514986366.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1822098294.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821488340.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1822379976.00000000033E9000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, 0000000B.00000002.1779165142.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1778939346.0000000004685000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055918179.0000000005310000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055438521.0000000004E35000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Y:\build\binaries\mp3tag\Mp3tag64.pdb? source: Mp3tag.exe
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: file.exe
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390C3984 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 5_2_00007FF7390C3984
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390D62F0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,swprintf,SetDlgItemTextW,FindClose,swprintf,SetDlgItemTextW,SendDlgItemMessageW,swprintf,SetDlgItemTextW,swprintf,SetDlgItemTextW, 5_2_00007FF7390D62F0
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390E6DC0 FindFirstFileExA, 5_2_00007FF7390E6DC0
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Code function: 7_2_0081C510 FindFirstFileW,FindClose, 7_2_0081C510
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Code function: 7_2_00812940 FindFirstFileW,FindFirstFileW, 7_2_00812940
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Code function: 7_2_0081BD50 FindFirstFileW,FindClose,lstrlenW, 7_2_0081BD50
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 9_2_004DC510 FindFirstFileW,FindClose, 9_2_004DC510
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 9_2_004DBD50 FindFirstFileW,FindClose,lstrlenW, 9_2_004DBD50
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 9_2_004D2940 FindFirstFileW,FindFirstFileW, 9_2_004D2940
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0669C6F9h 14_2_0669C5D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0669C6F9h 14_2_0669C708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0669C6F9h 14_2_0669C5C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov eax, dword ptr [ebp-28h] 14_2_068581C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 06B1410Bh 14_2_06B13AE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 06B1410Bh 14_2_06B140E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 072C3FCCh 14_2_072C2FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 072C3FCCh 14_2_072C2FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0742E419h 14_2_0742D768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov eax, dword ptr [ebp-68h] 14_2_0742D768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0742EA6Eh 14_2_0742D768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 0742C5F1h 14_2_0742C5D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp 07421D94h 14_2_074218FE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49817 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49803 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:49787 -> 45.141.87.55:15647
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49794 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49845 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49806 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49840 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49849 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49858 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49811 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49853 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49799 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 45.141.87.55:15647 -> 192.168.2.7:49787
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49826 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49866 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49837 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49863 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49872 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49885 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49881 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49889 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49876 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49898 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49895 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49904 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49908 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49917 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49927 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49935 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49939 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49948 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49952 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49957 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49962 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49966 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49971 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49975 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49979 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49983 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49930 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49921 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49821 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49831 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49989 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49943 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49913 -> 45.141.87.55:9000
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 45.141.87.55 ports 9000,1,4,5,6,7,15647
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 49876 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49904
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49908
Source: unknown Network traffic detected: HTTP traffic on port 49913 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49913
Source: unknown Network traffic detected: HTTP traffic on port 49917 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49917
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49921
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49927
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 49935 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49935
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49939
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 49948 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 49971 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49989
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49787 -> 45.141.87.55:15647
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.141.87.55 45.141.87.55
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDBACKBONERU CLOUDBACKBONERU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49817 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49803 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49821 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49845 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49840 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49811 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49837 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49898 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49908 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49917 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49927 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49935 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49939 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49952 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49966 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49975 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49979 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49983 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49831 -> 45.141.87.55:9000
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49989 -> 45.141.87.55:9000
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.87.55
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 45.141.87.55:9000
Source: global traffic DNS traffic detected: DNS query: time.windows.com
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002411000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.141.87.55:9000
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002411000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2525529925.0000000002505000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.141.87.55:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Mp3tag.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Mp3tag.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Mp3tag.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Mp3tag.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Mp3tag.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Mp3tag.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Mp3tag.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Mp3tag.exe String found in binary or memory: http://musicbrainz.org
Source: MSBuild.exe, 0000000E.00000002.2536124574.0000000007542000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adob
Source: Mp3tag.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: Mp3tag.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: MSBuild.exe, 0000000E.00000002.2536124574.0000000007542000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://purl.oent
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002411000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2525529925.0000000002689000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002689000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/d
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002689000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/h
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002411000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Mp3tag.exe, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002C59000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.000000000519C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: Mp3tag.exe String found in binary or memory: https://api.discogs.com/oauth/access_token
Source: Mp3tag.exe String found in binary or memory: https://api.discogs.com/oauth/identity
Source: Mp3tag.exe String found in binary or memory: https://api.discogs.com/oauth/identityvwSgWuuGMPKbPEOYNTFNZsDQawYvtlmt?oauth_token=https://api.disco
Source: Mp3tag.exe String found in binary or memory: https://api.discogs.com/oauth/request_token
Source: Mp3tag.exe String found in binary or memory: https://community.mp3tag.de/
Source: Mp3tag.exe String found in binary or memory: https://community.mp3tag.de/pStaticSupport
Source: Mp3tag.exe String found in binary or memory: https://community.mp3tag.de/t/export-configuration-archive/1495CMTExportDlg::OnEndlabeleditListnItem
Source: Mp3tag.exe String found in binary or memory: https://community.mp3tag.deCMTMainFrame::OnHelpSupportCMTMainFrame::CheckMailAdressCMTMainFrame::Ref
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: Mp3tag.exe String found in binary or memory: https://docs.mp3tag.de/credits/
Source: Mp3tag.exe String found in binary or memory: https://docs.mp3tag.de/credits/Y:
Source: Mp3tag.exe String found in binary or memory: https://download.mp3tag.de/versions.xmlCMTUpdater::HandleLatestVersion
Source: Mp3tag.exe String found in binary or memory: https://gnudb.org/%s/%s(artistalbum
Source: Mp3tag.exe String found in binary or memory: https://gnudb.orgErrorFound
Source: MSBuild.exe, 00000014.00000002.2057624072.00000000032C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/XK7ARdVw
Source: MSBuild.exe, 00000014.00000002.2057624072.00000000032C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/XK7ARdVwPO
Source: Mp3tag.exe String found in binary or memory: https://sectigo.com/CPS0
Source: Mp3tag.exe, 00000007.00000002.1384095495.0000000002D8C000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1504119662.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1779056254.0000000004A31000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821063207.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: Mp3tag.exe String found in binary or memory: https://www.discogs.com/oauth/authorize
Source: Mp3tag.exe String found in binary or memory: https://www.mp3tag.de
Source: Mp3tag.exe String found in binary or memory: https://www.mp3tag.de/en/donations.html
Source: Mp3tag.exe String found in binary or memory: https://www.mp3tag.de/en/donations.htmlpStaticDonate
Source: Mp3tag.exe String found in binary or memory: https://www.mp3tag.de/en/privacy.htmlpos
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.7:49699 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 16.2.cmd.exe.58000c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 20.2.MSBuild.exe.1300000.0.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 11.2.cmd.exe.54400c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 16.2.cmd.exe.58000c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 11.2.cmd.exe.54400c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\umfcpwvoouwjq, type: DROPPED Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\lcqqpedjyaav, type: DROPPED Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_005C1868 NtResumeThread, 15_2_005C1868
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C59198 NtSuspendThread, 15_2_02C59198
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390CEA88 5_2_00007FF7390CEA88
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390C84B0 5_2_00007FF7390C84B0
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390CB31C 5_2_00007FF7390CB31C
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390CDE90 5_2_00007FF7390CDE90
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390D5700 5_2_00007FF7390D5700
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390C5D20 5_2_00007FF7390C5D20
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390D682C 5_2_00007FF7390D682C
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390C7288 5_2_00007FF7390C7288
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390DF970 5_2_00007FF7390DF970
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390D41FC 5_2_00007FF7390D41FC
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390C6B78 5_2_00007FF7390C6B78
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390E6BB4 5_2_00007FF7390E6BB4
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390E93D0 5_2_00007FF7390E93D0
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390DFBEC 5_2_00007FF7390DFBEC
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390ECBD8 5_2_00007FF7390ECBD8
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390E8F00 5_2_00007FF7390E8F00
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390C6548 5_2_00007FF7390C6548
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390E3904 5_2_00007FF7390E3904
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Code function: 7_2_0081BFA0 7_2_0081BFA0
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Code function: 7_2_0082C0E0 7_2_0082C0E0
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 9_2_004DBFA0 9_2_004DBFA0
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 9_2_004EC0E0 9_2_004EC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022BC880 14_2_022BC880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022BB01F 14_2_022BB01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022B1070 14_2_022B1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022BD110 14_2_022BD110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022B15E0 14_2_022B15E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022BC7B5 14_2_022BC7B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022BC862 14_2_022BC862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022BC843 14_2_022BC843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022BA8FA 14_2_022BA8FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022BA908 14_2_022BA908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022B1060 14_2_022B1060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022BB09E 14_2_022BB09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022BD0F3 14_2_022BD0F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022B15C3 14_2_022B15C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022BBD78 14_2_022BBD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022BBD45 14_2_022BBD45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0669B640 14_2_0669B640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06695C18 14_2_06695C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06696CC0 14_2_06696CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06694D68 14_2_06694D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06697A50 14_2_06697A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0669F2B0 14_2_0669F2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06693B50 14_2_06693B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06690040 14_2_06690040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06692830 14_2_06692830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06690968 14_2_06690968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0669C970 14_2_0669C970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0669872A 14_2_0669872A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06695C09 14_2_06695C09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06694D58 14_2_06694D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06692328 14_2_06692328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066963A8 14_2_066963A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066963A6 14_2_066963A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066963B1 14_2_066963B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06692067 14_2_06692067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06692078 14_2_06692078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06690015 14_2_06690015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0669C960 14_2_0669C960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066E3ED0 14_2_066E3ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066EB6A0 14_2_066EB6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066E2FE8 14_2_066E2FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066E0FB7 14_2_066E0FB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066ECC48 14_2_066ECC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066EAE78 14_2_066EAE78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066E3EBB 14_2_066E3EBB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066E968F 14_2_066E968F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066E9698 14_2_066E9698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066E8B65 14_2_066E8B65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066E2FCB 14_2_066E2FCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066E8B80 14_2_066E8B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066ECC38 14_2_066ECC38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066EF488 14_2_066EF488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06856830 14_2_06856830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_068581C0 14_2_068581C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_068552D7 14_2_068552D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_068552E8 14_2_068552E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06850007 14_2_06850007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06851610 14_2_06851610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06851620 14_2_06851620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06850040 14_2_06850040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_068581B0 14_2_068581B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06853720 14_2_06853720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06853730 14_2_06853730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06859549 14_2_06859549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06859558 14_2_06859558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06B1458C 14_2_06B1458C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06B10040 14_2_06B10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06B10032 14_2_06B10032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06B1F160 14_2_06B1F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06B13A49 14_2_06B13A49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06B12BE8 14_2_06B12BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_06B12BD8 14_2_06B12BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072C2FF0 14_2_072C2FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072CABB0 14_2_072CABB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072C6BC4 14_2_072C6BC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072CB980 14_2_072CB980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072CC19B 14_2_072CC19B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072C8830 14_2_072C8830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072C2FF0 14_2_072C2FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072C7EA7 14_2_072C7EA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072CEEB8 14_2_072CEEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072C44C8 14_2_072C44C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072C44D8 14_2_072C44D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072C4B29 14_2_072C4B29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072C4B38 14_2_072C4B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072C0B71 14_2_072C0B71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072CE349 14_2_072CE349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072CE358 14_2_072CE358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072C0B80 14_2_072C0B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_072C8823 14_2_072C8823
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07412B98 14_2_07412B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07415268 14_2_07415268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07417130 14_2_07417130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_074135C0 14_2_074135C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07419980 14_2_07419980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07410040 14_2_07410040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0741D0A0 14_2_0741D0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07412B91 14_2_07412B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07413F93 14_2_07413F93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07413F98 14_2_07413F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0741524A 14_2_0741524A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07414EF0 14_2_07414EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07413A90 14_2_07413A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0741711C 14_2_0741711C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0741D090 14_2_0741D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0742D768 14_2_0742D768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0742EB01 14_2_0742EB01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0742B818 14_2_0742B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0742A2C8 14_2_0742A2C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0742C8B8 14_2_0742C8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07420F48 14_2_07420F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0742B350 14_2_0742B350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07420F58 14_2_07420F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0742D758 14_2_0742D758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0742B360 14_2_0742B360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07428930 14_2_07428930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07421DD0 14_2_07421DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07420040 14_2_07420040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07420650 14_2_07420650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0742001A 14_2_0742001A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07426E30 14_2_07426E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_074292A8 14_2_074292A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_074242BB 14_2_074242BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07410D71 14_2_07410D71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_07410D80 14_2_07410D80
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_005CECB0 15_2_005CECB0
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_005D0EB0 15_2_005D0EB0
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_005D30B0 15_2_005D30B0
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_005CFDB0 15_2_005CFDB0
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_005D1FB0 15_2_005D1FB0
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C6CAD1 15_2_02C6CAD1
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C71281 15_2_02C71281
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C93299 15_2_02C93299
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C612B8 15_2_02C612B8
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C793A1 15_2_02C793A1
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C65318 15_2_02C65318
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C89821 15_2_02C89821
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C85901 15_2_02C85901
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C60E68 15_2_02C60E68
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C78E01 15_2_02C78E01
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C877B1 15_2_02C877B1
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C78741 15_2_02C78741
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C73401 15_2_02C73401
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C8C421 15_2_02C8C421
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C705F1 15_2_02C705F1
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C9C592 15_2_02C9C592
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C85D11 15_2_02C85D11
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C6E9C1 15_2_02C6E9C1
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C8B621 15_2_02C8B621
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe F1973746AC0A703B23526F68C639436F0B26B0BC71C4F5ADF36DC5F6E8A7F4D0
PE file contains executable resources (Code or Archives)
Source: Mp3tag.exe.5.dr Static PE information: Resource name: RT_ICON type: tar archive (old), type ' ' (, mode 06\272, seconds \020+\327, linkname :\332, comment: h\320
Source: Mp3tag.exe.7.dr Static PE information: Resource name: RT_ICON type: tar archive (old), type ' ' (, mode 06\272, seconds \020+\327, linkname :\332, comment: h\320
Sample file is different than original file name gathered from version info
Source: file.exe, 00000005.00000003.1304524889.000001DFD35BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMp3tag.exe. vs file.exe
Source: file.exe, 00000005.00000002.1306004682.00007FF739105000.00000004.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenametak_deco_lib.dll\ vs file.exe
Source: file.exe, 00000005.00000002.1305419841.000001DFD35BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMp3tag.exe. vs file.exe
Yara signature match
Source: 16.2.cmd.exe.58000c8.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 20.2.MSBuild.exe.1300000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 11.2.cmd.exe.54400c8.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 16.2.cmd.exe.58000c8.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 11.2.cmd.exe.54400c8.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\umfcpwvoouwjq, type: DROPPED Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\lcqqpedjyaav, type: DROPPED Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 11.2.cmd.exe.54400c8.7.raw.unpack, -Module-.cs Cryptographic APIs: 'CreateDecryptor'
Source: 16.2.cmd.exe.58000c8.7.raw.unpack, -Module-.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@16/28@1/1
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390C1C18 GetLastError,FormatMessageW, 5_2_00007FF7390C1C18
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390D405C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 5_2_00007FF7390D405C
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe File created: C:\Users\user\AppData\Roaming\Downloadplugin Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\e72514ca91fc4303a01342e0f709e917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user~1\AppData\Local\Temp\Bijouterie Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Mp3tag.exe, 00000007.00000002.1386873220.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000007.00000000.1301371036.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000009.00000000.1380222016.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 00000009.00000002.1517151205.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000002.1823779476.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000000.1702287790.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe.7.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Mp3tag.exe, 00000007.00000002.1386873220.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000007.00000000.1301371036.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000009.00000000.1380222016.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 00000009.00000002.1517151205.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000002.1823779476.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000000.1702287790.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe.7.dr Binary or memory string: select * from albums where artist like ? and album like ?;
Source: Mp3tag.exe, 00000007.00000002.1386873220.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000007.00000000.1301371036.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000009.00000000.1380222016.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 00000009.00000002.1517151205.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000002.1823779476.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000000.1702287790.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe.7.dr Binary or memory string: insert into `albums` values(?, ?, ?, ?, ?, ?, ?);
Source: Mp3tag.exe, 00000007.00000002.1386873220.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000007.00000000.1301371036.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000009.00000000.1380222016.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 00000009.00000002.1517151205.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000002.1823779476.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000000.1702287790.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe.7.dr Binary or memory string: select * from albums where album like ?;
Source: Mp3tag.exe, 00000007.00000002.1386873220.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000007.00000000.1301371036.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000009.00000000.1380222016.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 00000009.00000002.1517151205.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000002.1823779476.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000000.1702287790.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe.7.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Mp3tag.exe, 00000007.00000002.1386873220.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000007.00000000.1301371036.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000009.00000000.1380222016.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 00000009.00000002.1517151205.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000002.1823779476.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000000.1702287790.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe.7.dr Binary or memory string: create table albums (discid varchar(255) not null, tracks int not null, length int not null, tone int not null, genre int not null, artist varchar(255), album varchar(255));
Source: Mp3tag.exe, 00000007.00000002.1386873220.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000007.00000000.1301371036.00000001407FC000.00000002.00000001.01000000.00000009.sdmp, Mp3tag.exe, 00000009.00000000.1380222016.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 00000009.00000002.1517151205.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000002.1823779476.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe, 0000000F.00000000.1702287790.00000001407FC000.00000002.00000001.01000000.0000000C.sdmp, Mp3tag.exe.7.dr Binary or memory string: select * from albums where artist like ?;
Source: Mp3tag.exe String found in binary or memory: wild-stop-dirs
Source: Mp3tag.exe String found in binary or memory: more-help
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe "C:\Users\user~1\AppData\Local\Temp\Bijouterie\Mp3tag.exe"
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Process created: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe "C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe"
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe "C:\Users\user~1\AppData\Local\Temp\Bijouterie\Mp3tag.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Process created: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: tak_deco_lib.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: tak_deco_lib.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: tak_deco_lib.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: ihcsdpxxtwvodu.11.dr LNK file: ..\..\..\..\user\AppData\Roaming\Downloadplugin\Mp3tag.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: file.exe Static file information: File size 6821123 > 1048576
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: pbBuf != NULLlnLength != 0SZipFile::AppendCentralDirFileHeaderpOut != NULLY:\projects\_main\SZipFile.cppSZipFile::AllocateNewDataBlockastrInFilePaths[i]astrInFilePaths.size() != 0_S_FALSE(m_zf.bZipFileOpen)strOutFilePathSZipFile::CompressFilesAbspbCopyTo != NULLpdb->pdbNext != NULLrcdc.pdbFirst != NULL && rcdc.pdbLast != NULLSZipFile::DeleteDataBlocksdwLength <= 4readastrInFileNames[i]astrInFileNames.size() != 0SZipFile::CompressFilesRelpfileIn != NULLrb_S_FALSE(m_zf.bSubFileOpen)_S_TRUE(m_zf.bZipFileOpen)strGlobalCommentSZipFile::ZipCloseSZipFile::SZipFilehFind != INVALID_HANDLE_VALUE_S_FALSE(strFilePath.IsEmpty())SZipFile::GetFileTimem_zf.sfi.dwLocalFileHeaderPos != _S_NUM_MAXDWORDlpszFilePathlpszCommentSZipFile::ZipCreateSubFiledwOldPos != _S_NUM_MAXDWORD_S_TRUE(m_zf.bSubFileOpen)SZipFile::ZipCloseSubFiledwPosCentralDir != _S_NUM_MAXDWORDSZipFile::ZipWriteSubFilem_zf.dwStartPos != _S_NUM_MAXDWORDwbSZipFile::ZipOpen1.3.1m_zf.sfi.pbCentralDirFileHeader != NULLSDocument8 source: Mp3tag.exe
Source: Binary string: rcdc.pdbFirst != NULL && rcdc.pdbLast != NULL source: Mp3tag.exe
Source: Binary string: Y:\build\binaries\mp3tag\Mp3tag64.pdb source: Mp3tag.exe
Source: Binary string: ntdll.pdb source: Mp3tag.exe, 00000007.00000002.1384357397.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000007.00000002.1384655119.00000000032C0000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1515559005.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1516217493.0000000003374000.00000004.00000001.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1514986366.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1822098294.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821488340.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1822379976.00000000033E9000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 0000000B.00000002.1779165142.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1778939346.0000000004685000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055918179.0000000005310000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055438521.0000000004E35000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: Mp3tag.exe, 00000007.00000002.1384357397.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 00000007.00000002.1384655119.00000000032C0000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1515559005.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1516217493.0000000003374000.00000004.00000001.00020000.00000000.sdmp, Mp3tag.exe, 00000009.00000002.1514986366.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1822098294.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1821488340.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp, Mp3tag.exe, 0000000F.00000002.1822379976.00000000033E9000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, 0000000B.00000002.1779165142.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1778939346.0000000004685000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055918179.0000000005310000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.2055438521.0000000004E35000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Y:\build\binaries\mp3tag\Mp3tag64.pdb? source: Mp3tag.exe
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: file.exe
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
File is packed with WinRar
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Bijouterie\__tmp_rar_sfx_access_check_5087812 Jump to behavior
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .didat
Source: file.exe Static PE information: section name: _RDATA
Source: Mp3tag.exe.5.dr Static PE information: section name: _RDATA
Source: tak_deco_lib.dll.5.dr Static PE information: section name: .didata
Source: Mp3tag.exe.7.dr Static PE information: section name: _RDATA
Source: tak_deco_lib.dll.7.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_022BEC5D push eax; iretd 14_2_022BEC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066E53D1 push esp; ret 14_2_066E53D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066EA56A pushad ; ret 14_2_066EA56B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066E958B push eax; retf 14_2_066E9591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_066EA597 pushad ; ret 14_2_066EA59B
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_0014D1DA push ecx; retf 15_2_0014D309
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_0014E1F0 pushad ; retf 15_2_0014E1F1
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_0014B6BC push ecx; retf 15_2_0014B709
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_0014CF3A push ecx; retf 15_2_0014D1D9
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_0014B6A8 push ecx; retf 15_2_0014B709
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_0054DB60 push eax; retf 0054h 15_2_0054DB61
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_005C6A13 push esi; ret 15_2_005C6A15
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_005C694C pushfd ; retf 15_2_005C694D
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C8E921 push eax; ret 15_2_02C8E94F
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C7EF93 push 3B0CC483h; ret 15_2_02C7EF98
Source: umfcpwvoouwjq.11.dr Static PE information: section name: .text entropy: 6.816454717546241
Source: lcqqpedjyaav.16.dr Static PE information: section name: .text entropy: 6.816454717546241
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe File created: C:\Users\user\AppData\Roaming\Downloadplugin\tak_deco_lib.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\lcqqpedjyaav Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Bijouterie\tak_deco_lib.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe File created: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\umfcpwvoouwjq Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\umfcpwvoouwjq Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\lcqqpedjyaav Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\UMFCPWVOOUWJQ
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\LCQQPEDJYAAV
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 49876 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49904
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49908
Source: unknown Network traffic detected: HTTP traffic on port 49913 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49913
Source: unknown Network traffic detected: HTTP traffic on port 49917 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49917
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49921
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49927
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 49935 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49935
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49939
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 49948 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 49971 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49989
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\cmd.exe API/Special instruction interceptor: Address: 6CFC3B54
Source: C:\Windows\SysWOW64\cmd.exe API/Special instruction interceptor: Address: 6B903B54
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 22B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2410000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 4410000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 17B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 32C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1930000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 3563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 5876 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lcqqpedjyaav Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\umfcpwvoouwjq Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7344 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7344 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -53254s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7344 Thread sleep time: -59881s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -39378s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7344 Thread sleep time: -59765s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -51660s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -39702s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7344 Thread sleep time: -59641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7344 Thread sleep time: -59520s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -58749s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7344 Thread sleep time: -59370s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7344 Thread sleep time: -59259s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -37773s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7344 Thread sleep time: -59151s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -38006s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -41894s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7344 Thread sleep time: -58515s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -47582s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -56132s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -44044s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -40870s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -53854s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -35986s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -36895s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -30332s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7624 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3232 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -39383s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -47061s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -32543s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -45041s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -50241s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -32824s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -31882s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -52625s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -47603s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7616 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -44848s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -36985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -59638s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -41329s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -47145s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -53869s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1424 Thread sleep time: -46830s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1252 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390C3984 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 5_2_00007FF7390C3984
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390D62F0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,swprintf,SetDlgItemTextW,FindClose,swprintf,SetDlgItemTextW,SendDlgItemMessageW,swprintf,SetDlgItemTextW,swprintf,SetDlgItemTextW, 5_2_00007FF7390D62F0
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390E6DC0 FindFirstFileExA, 5_2_00007FF7390E6DC0
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Code function: 7_2_0081C510 FindFirstFileW,FindClose, 7_2_0081C510
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Code function: 7_2_00812940 FindFirstFileW,FindFirstFileW, 7_2_00812940
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Code function: 7_2_0081BD50 FindFirstFileW,FindClose,lstrlenW, 7_2_0081BD50
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 9_2_004DC510 FindFirstFileW,FindClose, 9_2_004DC510
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 9_2_004DBD50 FindFirstFileW,FindClose,lstrlenW, 9_2_004DBD50
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 9_2_004D2940 FindFirstFileW,FindFirstFileW, 9_2_004D2940
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390D90D8 VirtualQuery,GetSystemInfo, 5_2_00007FF7390D90D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 53254 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59881 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 39378 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 51660 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 39702 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59520 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58749 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59370 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59259 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 37773 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59151 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 38006 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 41894 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 47582 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 56132 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 44044 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 40870 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 53854 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 35986 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 36895 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30332 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 39383 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 47061 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 32543 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 45041 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 50241 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 32824 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 31882 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 52625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 47603 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 44848 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 36985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59638 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 41329 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 47145 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 53869 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 46830 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002702000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231LR
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: cmd.exe, 00000010.00000002.2055733170.00000000051E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: MSBuild.exe, 0000000E.00000002.2522571454.00000000006A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: MSBuild.exe, 0000000E.00000002.2525529925.00000000029D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: MSBuild.exe, 0000000E.00000002.2528981980.00000000035A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390DA3B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF7390DA3B8
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C59ABE mov eax, dword ptr fs:[00000030h] 15_2_02C59ABE
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C69301 mov eax, dword ptr fs:[00000030h] 15_2_02C69301
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: 15_2_02C599C4 mov eax, dword ptr fs:[00000030h] 15_2_02C599C4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390E7E40 GetProcessHeap, 5_2_00007FF7390E7E40
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390D99D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00007FF7390D99D8
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390DA3B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF7390DA3B8
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390DA59C SetUnhandledExceptionFilter, 5_2_00007FF7390DA59C
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390DE7F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF7390DE7F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtCreateFile: Direct from: 0x4E4 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtAllocateVirtualMemory: Direct from: 0x7FFB1C859635 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtAllocateVirtualMemory: Direct from: 0x5C3F50 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtProtectVirtualMemory: Direct from: 0x7FFB0BF994F5 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtQuerySystemInformation: Direct from: 0x7FFB0BF82143 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtCreateNamedPipeFile: Direct from: 0x7FFB1C842E70 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe NtAllocateVirtualMemory: Direct from: 0x7FFB0C258E14 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtAllocateVirtualMemory: Direct from: 0x110 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtAllocateVirtualMemory: Direct from: 0x7FFB0BF98E14 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtAllocateVirtualMemory: Direct from: 0x7FFB1C858E14 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtClose: Direct from: 0x5C18C0
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtQuerySystemInformation: Direct from: 0x7FFB1C842143 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtAllocateVirtualMemory: Direct from: 0x7FFB0BF99635 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe NtQuerySystemInformation: Direct from: 0x14DE90 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtAllocateVirtualMemory: Direct from: 0xA0A76ACB Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtAllocateVirtualMemory: Direct from: 0x553940 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtClose: Direct from: 0x2
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtQuerySystemInformation: Direct from: 0x14FAE0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtProtectVirtualMemory: Direct from: 0x3 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtClose: Direct from: 0x630480
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtProtectVirtualMemory: Direct from: 0x6C006C Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe NtProtectVirtualMemory: Direct from: 0x7FFB2CE826A1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtProtectVirtualMemory: Direct from: 0x7FFB1C8594F5 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe NtCreateNamedPipeFile: Direct from: 0x7FFB0BF82E70 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6BD61000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 23B008 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6BD61000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 11D0008 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390D5700 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItemTextW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,swprintf,GetLastError,GetLastError,GetTickCount,swprintf,GetLastError,GetModuleFileNameW,swprintf,CreateFileMappingW,GetCommandLineW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,swprintf,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,swprintf,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetWindowTextW,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW, 5_2_00007FF7390D5700
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe "C:\Users\user~1\AppData\Local\Temp\Bijouterie\Mp3tag.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390EC9C0 cpuid 5_2_00007FF7390EC9C0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetNumberFormatW, 5_2_00007FF7390D4CE8
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 7_2_0081C6F0
Source: C:\Users\user\AppData\Local\Temp\Bijouterie\Mp3tag.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 7_2_0081B710
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 9_2_004DC6F0
Source: C:\Users\user\AppData\Roaming\Downloadplugin\Mp3tag.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 9_2_004DB710
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390D8588 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize, 5_2_00007FF7390D8588
Source: C:\Users\user\Desktop\file.exe Code function: 5_2_00007FF7390C3B10 GetVersionExW, 5_2_00007FF7390C3B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 16.2.cmd.exe.58000c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.MSBuild.exe.1300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cmd.exe.54400c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cmd.exe.58000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cmd.exe.54400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1779706990.0000000005440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2056182127.0000000005800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2055832534.0000000001302000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 8000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 2868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1912, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\umfcpwvoouwjq, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\lcqqpedjyaav, type: DROPPED
Yara detected SectopRAT
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1456, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\walletsLR
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q5C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002411000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ata% |*| com.liberty.jaxx |*| * |*| True |*| |*|t-
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.walletLR
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum\walletsLR
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.walletLR
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum\walletsLR
Source: MSBuild.exe, 0000000E.00000002.2525529925.0000000002581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q9C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 16.2.cmd.exe.58000c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.MSBuild.exe.1300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cmd.exe.54400c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cmd.exe.58000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cmd.exe.54400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1779706990.0000000005440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2522571454.00000000006A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2056182127.0000000005800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2055832534.0000000001302000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 8000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 2868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1912, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\umfcpwvoouwjq, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\lcqqpedjyaav, type: DROPPED

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 16.2.cmd.exe.58000c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.MSBuild.exe.1300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cmd.exe.54400c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.cmd.exe.58000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.cmd.exe.54400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1779706990.0000000005440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2056182127.0000000005800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2055832534.0000000001302000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 8000, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 2868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1912, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\umfcpwvoouwjq, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\lcqqpedjyaav, type: DROPPED
Yara detected SectopRAT
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1456, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560988 Sample: file.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 56 time.windows.com 2->56 58 shed.dual-low.s-part-0035.t-0009.t-msedge.net 2->58 60 2 other IPs or domains 2->60 68 Suricata IDS alerts for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for dropped file 2->72 74 6 other signatures 2->74 10 file.exe 12 2->10         started        13 Mp3tag.exe 1 2->13         started        signatures3 process4 file5 48 C:\Users\user\AppData\...\tak_deco_lib.dll, PE32+ 10->48 dropped 50 C:\Users\user\AppData\Local\...\Mp3tag.exe, PE32+ 10->50 dropped 16 Mp3tag.exe 5 10->16         started        88 Maps a DLL or memory area into another process 13->88 90 Found direct / indirect Syscall (likely to bypass EDR) 13->90 20 cmd.exe 2 13->20         started        signatures6 process7 file8 40 C:\Users\user\AppData\...\tak_deco_lib.dll, PE32+ 16->40 dropped 42 C:\Users\user\AppData\Roaming\...\Mp3tag.exe, PE32+ 16->42 dropped 62 Found direct / indirect Syscall (likely to bypass EDR) 16->62 22 Mp3tag.exe 1 16->22         started        44 C:\Users\user\AppData\Local\...\lcqqpedjyaav, PE32 20->44 dropped 64 Writes to foreign memory regions 20->64 66 Maps a DLL or memory area into another process 20->66 25 MSBuild.exe 1 20->25         started        27 conhost.exe 20->27         started        signatures9 process10 signatures11 84 Maps a DLL or memory area into another process 22->84 86 Found direct / indirect Syscall (likely to bypass EDR) 22->86 29 cmd.exe 4 22->29         started        process12 file13 52 C:\Users\user\AppData\Local\...\umfcpwvoouwjq, PE32 29->52 dropped 92 Writes to foreign memory regions 29->92 94 Found hidden mapped module (file has been removed from disk) 29->94 96 Maps a DLL or memory area into another process 29->96 98 Switches to a custom stack to bypass stack traces 29->98 33 MSBuild.exe 15 20 29->33         started        38 conhost.exe 29->38         started        signatures14 process15 dnsIp16 54 45.141.87.55, 15647, 49787, 49794 CLOUDBACKBONERU Russian Federation 33->54 46 C:\Users\user\AppData\...\Secure Preferences, JSON 33->46 dropped 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->76 78 Found many strings related to Crypto-Wallets (likely being stolen) 33->78 80 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->80 82 2 other signatures 33->82 file17 signatures18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.141.87.55
 unknown Russian Federation
56971 CLOUDBACKBONERU true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
time.windows.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.141.87.55:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE true
  • Avira URL Cloud: safe
 unknown