Windows Analysis Report g4FtSOZMD9

Overview

General Information

Sample Name: g4FtSOZMD9 (renamed file extension from none to exe)
Analysis ID: 547022
MD5: 81f377eda4163da1b74cae83e38ced9f
SHA1: e50abaf01a9fd3ae8176b5b6117f6b8f8a355ec0
SHA256: a16d035ca37dbd7ab34c856f4cdf96a9898dcebba08c5801c99f3d3100ae6b3f
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Detected unpacking (changes PE section rights)
GuLoader behavior detected
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to detect Any.run
Connects to many ports of the same IP (likely port scanning)
Yara detected VB6 Downloader Generic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Yara detected WebBrowserPassView password recovery tool
Sigma detected: Suspicious Svchost Process
C2 URLs / IPs found in malware configuration
Tries to steal Instant Messenger accounts or passwords
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "nhtaxfilling.ddnsgeek.com:62758:1", "Assigned name": "1040", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "Clock.exe", "Startup value": "Clock", "Hide file": "Enable", "Mutex": "Remcos-UGB110", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Enable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Clock", "Keylog folder": "Clock", "Keylog file max size": "100000"}
Source: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://147.189.137.168/1040_RyQoPlW98.bin"}
Multi AV Scanner detection for submitted file
Source: g4FtSOZMD9.exe Virustotal: Detection: 22% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exe ReversingLabs: Detection: 16%
Antivirus or Machine Learning detection for unpacked file
Source: 9.0.g4FtSOZMD9.exe.400000.2.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 0.0.g4FtSOZMD9.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 21.0.g4FtSOZMD9.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 9.0.g4FtSOZMD9.exe.400000.3.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 22.0.g4FtSOZMD9.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 9.0.g4FtSOZMD9.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 0.2.g4FtSOZMD9.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 9.0.g4FtSOZMD9.exe.400000.1.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 23.0.g4FtSOZMD9.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen

Compliance:

barindex
Uses 32bit PE files
Source: g4FtSOZMD9.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 22_2_00407898
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen, 23_2_00407C87

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.6:49835 -> 147.189.137.168:80
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 207.32.218.236 ports 62758,2,5,6,7,8
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: nhtaxfilling.ddnsgeek.com
Source: Malware configuration extractor URLs: http://147.189.137.168/1040_RyQoPlW98.bin
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: JANETJiscServicesLimitedGB JANETJiscServicesLimitedGB
Source: Joe Sandbox View ASN Name: 1GSERVERSUS 1GSERVERSUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /1040_RyQoPlW98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 147.189.137.168Cache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49836 -> 207.32.218.236:62758
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: unknown TCP traffic detected without corresponding DNS query: 147.189.137.168
Source: g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: g4FtSOZMD9.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620803230.0000000001BD7000.00000004.00000020.sdmp String found in binary or memory: http://147.189.137.168/1040_RyQoPlW98.bin
Source: g4FtSOZMD9.exe, 00000009.00000002.620803230.0000000001BD7000.00000004.00000020.sdmp String found in binary or memory: http://147.189.137.168/1040_RyQoPlW98.bin~:
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://google.com/chrome
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjIwZTg0ZTY4NTUwZTU4OGJhMzFmNmI5YjE4N2E4NDAyZWVmO
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xDME?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yG8H?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMQmHU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: g4FtSOZMD9.exe, 00000009.00000003.577311939.0000000020E52000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.624858543.0000000020E50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.596412607.0000000020E50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.577281474.0000000020E41000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g?
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://ocsp.digicert.com0B
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://ocsp.digicert.com0E
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://ocsp.digicert.com0F
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://ocsp.digicert.com0M
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://ocsp.digicert.com0R
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=333&w=311
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=166&w=310
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xDME.img?h=75&w=100
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yG8H.img?h=166&w=31
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=75&w=100
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.ebuddy.com
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.imvu.com
Source: g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.imvu.comr
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://www.msn.com
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://www.msn.com/
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhvFAB7.tmp.21.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: g4FtSOZMD9.exe, 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://contextual.media.net/
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: g4FtSOZMD9.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://pki.goog/repository/0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=1824632442.1601478955
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmp String found in binary or memory: https://www.google.com
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/
Source: g4FtSOZMD9.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: g4FtSOZMD9.exe, 00000015.00000003.616430526.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616818269.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616919140.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616667092.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616571537.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616756654.0000000002283000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhvFAB7.tmp.21.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: unknown DNS traffic detected: queries for: nhtaxfilling.ddnsgeek.com
Source: global traffic HTTP traffic detected: GET /1040_RyQoPlW98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 147.189.137.168Cache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\g4FtSOZMD9.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_0040BA30 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 22_2_0040BA30

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000009.00000003.582459498.0000000001C39000.00000004.00000001.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Uses 32bit PE files
Source: g4FtSOZMD9.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000009.00000003.582459498.0000000001C39000.00000004.00000001.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Detected potential crypto function
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02296E2A 0_2_02296E2A
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02285E30 0_2_02285E30
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02285A4E 0_2_02285A4E
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_0228D09B 0_2_0228D09B
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02283939 0_2_02283939
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_0228DDDD 0_2_0228DDDD
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_0228CE2E 0_2_0228CE2E
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02282E19 0_2_02282E19
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02282E67 0_2_02282E67
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02295252 0_2_02295252
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02285B30 0_2_02285B30
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02285B36 0_2_02285B36
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_0228A760 0_2_0228A760
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02281772 0_2_02281772
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02293C6F 0_2_02293C6F
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02281844 0_2_02281844
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_022828ED 0_2_022828ED
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_022818CB 0_2_022818CB
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02280947 0_2_02280947
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_0228395F 0_2_0228395F
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_00081B0A 9_3_00081B0A
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_0008510A 9_3_0008510A
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_00081407 9_3_00081407
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_00086D17 9_3_00086D17
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_00087D45 9_3_00087D45
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_0044B040 21_1_0044B040
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_0044B870 21_1_0044B870
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_0044081D 21_1_0044081D
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_0043610D 21_1_0043610D
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_0044AA80 21_1_0044AA80
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_00447310 21_1_00447310
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_0044BBD8 21_1_0044BBD8
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_0044A490 21_1_0044A490
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_0043C560 21_1_0043C560
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_00446D30 21_1_00446D30
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_00446D8B 21_1_00446D8B
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_0044B610 21_1_0044B610
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_0044D6C0 21_1_0044D6C0
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_004476F0 21_1_004476F0
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_004050C2 22_2_004050C2
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_004014AB 22_2_004014AB
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00405133 22_2_00405133
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_004051A4 22_2_004051A4
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00401246 22_2_00401246
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_0040CA46 22_2_0040CA46
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00405235 22_2_00405235
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_004032C8 22_2_004032C8
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_004222D9 22_2_004222D9
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00401689 22_2_00401689
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00402F60 22_2_00402F60
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_1_004222D9 22_1_004222D9
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_0040D044 23_2_0040D044
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_00405038 23_2_00405038
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_004050A9 23_2_004050A9
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_0040511A 23_2_0040511A
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_004051AB 23_2_004051AB
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_004382F3 23_2_004382F3
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_00430575 23_2_00430575
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_0043B671 23_2_0043B671
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_0041F6CD 23_2_0041F6CD
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_004119CF 23_2_004119CF
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_00439B11 23_2_00439B11
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_00438E54 23_2_00438E54
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_00412F67 23_2_00412F67
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_0043CF18 23_2_0043CF18
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_1_004382F3 23_1_004382F3
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_1_00430575 23_1_00430575
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_1_0043B671 23_1_0043B671
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_1_0041F6CD 23_1_0041F6CD
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_1_00439B11 23_1_00439B11
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_1_00438E54 23_1_00438E54
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_1_0043CF18 23_1_0043CF18
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: String function: 004124F0 appears 33 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: String function: 00412627 appears 61 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: String function: 00412968 appears 153 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: String function: 00421A32 appears 71 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: String function: 00416760 appears 65 times
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: String function: 0044407A appears 37 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_0228DACD NtAllocateVirtualMemory, 0_2_0228DACD
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02296762 NtProtectVirtualMemory, 0_2_02296762
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_0228D09B NtWriteVirtualMemory,CreateFileA, 0_2_0228D09B
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_0228DDDD NtWriteVirtualMemory,LoadLibraryA, 0_2_0228DDDD
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00402CAC NtdllDefWindowProc_A, 22_2_00402CAC
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00402D66 NtdllDefWindowProc_A, 22_2_00402D66
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_004016FC NtdllDefWindowProc_A, 23_2_004016FC
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_004017B6 NtdllDefWindowProc_A, 23_2_004017B6
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: g4FtSOZMD9.exe, 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000000.00000002.470911055.00000000020E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameIndregnet8.exeFE2XCfarS vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000009.00000000.460170430.0000000000431000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000009.00000003.604551488.0000000020A41000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000009.00000003.582574015.0000000001C68000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000009.00000003.605978483.0000000001C8C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000009.00000003.605645190.0000000001C78000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000009.00000003.605678171.0000000001C83000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe Binary or memory string: OriginalFileName vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000015.00000000.606786406.0000000000431000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe Binary or memory string: OriginalFilename vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000016.00000001.608400388.0000000000422000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe, 00000017.00000000.609082555.0000000000431000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
Source: g4FtSOZMD9.exe Binary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
PE file contains strange resources
Source: g4FtSOZMD9.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: g4FtSOZMD9.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: g4FtSOZMD9.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Restroke.exe.9.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Restroke.exe.9.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Restroke.exe.9.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: g4FtSOZMD9.exe Virustotal: Detection: 22%
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe File read: C:\Users\user\Desktop\g4FtSOZMD9.exe Jump to behavior
Source: g4FtSOZMD9.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe "C:\Users\user\Desktop\g4FtSOZMD9.exe"
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe "C:\Users\user\Desktop\g4FtSOZMD9.exe"
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo"
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj"
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr"
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe "C:\Users\user\Desktop\g4FtSOZMD9.exe" Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo" Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj" Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr" Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification, 22_2_00410DE1
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe File created: C:\Users\user\AppData\Roaming\Screenshots Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe File created: C:\Users\user\AppData\Local\Temp\~DFF48BD71CF1E747D1.TMP Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@11/24@1/2
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, g4FtSOZMD9.exe, 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-UGB110
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_0041208B FindResourceA,SizeofResource,LoadResource,LockResource, 22_2_0041208B
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe File opened: C:\Users\user\Desktop\g4FtSOZMD9.cfg Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Unpacked PE file: 22.2.g4FtSOZMD9.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Unpacked PE file: 23.2.g4FtSOZMD9.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.462063926.00000000017A0000.00000040.00000001.sdmp, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: g4FtSOZMD9.exe PID: 7068, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_00401F3C push eax; iretd 0_2_00401F3D
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_0228CE2E push edx; retf 2D64h 0_2_0228F5D1
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02281E90 push esi; retn E555h 0_2_022820B8
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02281E90 push esp; retf E809h 0_2_022825C1
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_0228011A push ds; ret 0_2_02280124
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_01C7C4BD push esp; iretd 9_3_01C7C4CB
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_01C7CB54 push eax; retf 9_3_01C7CB55
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_01C7CF54 push eax; iretd 9_3_01C7CF55
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_01C7CB50 push eax; retf 9_3_01C7CB51
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_01C7CF50 push eax; iretd 9_3_01C7CF51
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_01C7CB64 pushad ; retf 9_3_01C7CB65
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_01C7CF64 pushad ; iretd 9_3_01C7CF65
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_01C7CB60 pushad ; retf 9_3_01C7CB61
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_01C7CF60 pushad ; iretd 9_3_01C7CF61
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_01C7CB68 push 6801C7CBh; retf 9_3_01C7CB6D
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 9_3_01C7CF68 push 6801C7CFh; iretd 9_3_01C7CF6D
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_0044693D push ecx; ret 21_1_0044694D
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_004189F0 push FFFFFFAEh; iretd 21_1_004189F3
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_00418981 push FFFFFFAEh; iretd 21_1_004189F3
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_0044DB70 push eax; ret 21_1_0044DB84
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_0044DB70 push eax; ret 21_1_0044DBAC
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 21_1_00451D54 push eax; ret 21_1_00451D61
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00414060 push eax; ret 22_2_00414074
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00414060 push eax; ret 22_2_0041409C
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00414039 push ecx; ret 22_2_00414049
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_004164EB push 0000006Ah; retf 22_2_004165C4
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00416553 push 0000006Ah; retf 22_2_004165C4
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00416555 push 0000006Ah; retf 22_2_004165C4
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_00444355 push ecx; ret 23_2_00444365
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_004446D0 push eax; ret 23_2_004446E4
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_004446D0 push eax; ret 23_2_0044470C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00404C9D LoadLibraryA,GetProcAddress, 22_2_00404C9D

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe File created: C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exe Jump to dropped file

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.vbs Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.vbs Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 23_2_004047C6
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=\RESTROKE.EXE\BREVSAMLINGSSTEDS8SET W = CREATEOBJECT("WSCRIPT.SHELL")
Source: g4FtSOZMD9.exe, 00000000.00000002.471537036.0000000002B50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: g4FtSOZMD9.exe, 00000000.00000002.471537036.0000000002B50000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSHTML.DLL\RESTROKE.EXE\BREVSAMLINGSSTEDS8SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCECHRYSOME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe TID: 5760 Thread sleep count: 543 > 30 Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe TID: 528 Thread sleep time: -1800000s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Thread delayed: delay time: 600000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Window / User API: threadDelayed 543 Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 22_2_00407898
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 23_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen, 23_2_00407C87
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe System information queried: ModuleInformation Jump to behavior
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=\Restroke.exe\Brevsamlingssteds8Set W = CreateObject("WScript.Shell")
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: g4FtSOZMD9.exe, 00000000.00000002.471537036.0000000002B50000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll\Restroke.exe\Brevsamlingssteds8Software\Microsoft\Windows\CurrentVersion\RunOnceCHRYSOME
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: g4FtSOZMD9.exe, 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620803230.0000000001BD7000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: bhvFAB7.tmp.21.dr Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:BE8AB8DF-DCD1-3523-4A95-3A04EAFF1CBA&ctry=US&time=20220102T102601Z&lc=en-US&pl=en-US&idtp=mid&uid=b029da70-c67b-4a7e-9bd5-517f7e302ed9&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=93a49fdf6de24d87bd311ffc5aadad28&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1324233&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1324233&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: g4FtSOZMD9.exe, 00000000.00000002.471537036.0000000002B50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat
Source: g4FtSOZMD9.exe, 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW$

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00404C9D LoadLibraryA,GetProcAddress, 22_2_00404C9D
Enables debug privileges
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_0228CE02 mov eax, dword ptr fs:[00000030h] 0_2_0228CE02
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02289E52 mov eax, dword ptr fs:[00000030h] 0_2_02289E52
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02295252 mov eax, dword ptr fs:[00000030h] 0_2_02295252
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02294BE5 mov eax, dword ptr fs:[00000030h] 0_2_02294BE5
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_022920B6 mov eax, dword ptr fs:[00000030h] 0_2_022920B6
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_02292C8E mov eax, dword ptr fs:[00000030h] 0_2_02292C8E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 0_2_022866C3 LdrInitializeThunk, 0_2_022866C3

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Memory written: C:\Users\user\Desktop\g4FtSOZMD9.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Memory written: C:\Users\user\Desktop\g4FtSOZMD9.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Memory written: C:\Users\user\Desktop\g4FtSOZMD9.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe "C:\Users\user\Desktop\g4FtSOZMD9.exe" Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo" Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj" Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Process created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr" Jump to behavior
Source: g4FtSOZMD9.exe Binary or memory string: [2022/01/02 02:28:02 Offline Keylogger Started] [2022/01/02 02:28:02 Program Manager]
Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000009.00000002.620897284.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605956778.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.582710276.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605645190.0000000001C78000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: g4FtSOZMD9.exe, 00000009.00000002.621030433.00000000020B0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: g4FtSOZMD9.exe, 00000009.00000002.621030433.00000000020B0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: g4FtSOZMD9.exe, 00000009.00000003.605373507.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620916811.0000000001C8A000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.582805331.0000000001C83000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605454693.0000000001C83000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.582710276.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605645190.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605678171.0000000001C83000.00000004.00000001.sdmp Binary or memory string: [2022/01/02 02:28:02 Program Manager]
Source: g4FtSOZMD9.exe, 00000009.00000002.621030433.00000000020B0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: g4FtSOZMD9.exe, 00000009.00000003.605373507.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620897284.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605956778.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.582710276.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605645190.0000000001C78000.00000004.00000001.sdmp Binary or memory string: Program Manager5
Source: g4FtSOZMD9.exe, 00000009.00000002.621030433.00000000020B0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: g4FtSOZMD9.exe, 00000009.00000003.582710276.0000000001C78000.00000004.00000001.sdmp Binary or memory string: |Program Manager|

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00406B06 GetVersionExA, 22_2_00406B06
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: 22_2_00407C79 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 22_2_00407C79

Stealing of Sensitive Information:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: ESMTPPassword 23_2_004033E2
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 23_2_00402DA5
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 23_2_00402DA5
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: g4FtSOZMD9.exe PID: 5524, type: MEMORYSTR
Tries to steal Instant Messenger accounts or passwords
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Users\user\Desktop\g4FtSOZMD9.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior

Remote Access Functionality:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 547022 Sample: g4FtSOZMD9 Startdate: 02/01/2022 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 12 other signatures 2->38 7 g4FtSOZMD9.exe 1 2 2->7         started        process3 signatures4 40 Detected unpacking (changes PE section rights) 7->40 42 Tries to steal Mail credentials (via file registry) 7->42 44 Creates autostart registry keys with suspicious values (likely registry only malware) 7->44 46 2 other signatures 7->46 10 g4FtSOZMD9.exe 3 29 7->10         started        process5 dnsIp6 28 147.189.137.168, 49835, 80 JANETJiscServicesLimitedGB United Kingdom 10->28 30 nhtaxfilling.ddnsgeek.com 207.32.218.236, 49836, 49837, 49843 1GSERVERSUS United States 10->30 24 C:\Users\user\AppData\Local\...\Restroke.exe, PE32 10->24 dropped 26 C:\Users\user\AppData\Local\...\Restroke.vbs, ASCII 10->26 dropped 48 Tries to detect Any.run 10->48 50 Hides threads from debuggers 10->50 52 Installs a global keyboard hook 10->52 54 Injects a PE file into a foreign processes 10->54 15 g4FtSOZMD9.exe 1 10->15         started        18 g4FtSOZMD9.exe 1 10->18         started        20 g4FtSOZMD9.exe 1 10->20         started        22 svchost.exe 10->22         started        file7 signatures8 process9 signatures10 56 Tries to steal Instant Messenger accounts or passwords 15->56 58 Tries to steal Mail credentials (via file / registry access) 15->58
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.189.137.168
 unknown United Kingdom
786 JANETJiscServicesLimitedGB true
207.32.218.236
 nhtaxfilling.ddnsgeek.com United States
14315 1GSERVERSUS true

Contacted Domains

Name IP Active
nhtaxfilling.ddnsgeek.com 207.32.218.236 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
nhtaxfilling.ddnsgeek.com true
  • Avira URL Cloud: safe
 unknown
http://147.189.137.168/1040_RyQoPlW98.bin true
  • Avira URL Cloud: safe
 unknown