Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1631926
MD5:	e4265c65f6f798bdc3f1644caaa09379
SHA1:	5c72cd53fb3091b5cdb44021a05abd4cb116ef32
SHA256:	a5847cf2d171622e07ec1cb81015033c57f60e7bf3e3f808a5dbdcb44ffe4498
Tags:	exeSocks5Systemzuser-jstrosch
Infos:

Detection

Socks5Systemz

Score:	96
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Yara detected Socks5Systemz

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to infect the boot sector

Joe Sandbox ML detected suspicious sample

PE file has a writeable .text section

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7020 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E4265C65F6F798BDC3F1644CAAA09379)

file.tmp (PID: 7036 cmdline: "C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp" /SL5="$403C0,4337550,56832,C:\Users\user\Desktop\file.exe" MD5: 01EB6207431C47E642C878967668AC73)

photorecoverylib.exe (PID: 7116 cmdline: "C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe" -i MD5: 84FDC770D4A9ECD786E59A0C9F7F9C26)

svchost.exe (PID: 7156 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 6208 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 6436 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6456 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6680 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 2016 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2500792811.0000000002EA1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000003.00000002.2500659420.0000000002E04000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
Process Memory Space: photorecoverylib.exe PID: 7116	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7156, ProcessName: svchost.exe

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:26:22.365974+0100	2028765	3	Unknown Traffic	192.168.2.6	49689	176.113.115.96	443	TCP
2025-03-07T17:26:34.335512+0100	2028765	3	Unknown Traffic	192.168.2.6	49692	176.113.115.96	443	TCP
2025-03-07T17:26:46.238016+0100	2028765	3	Unknown Traffic	192.168.2.6	49695	176.113.115.96	443	TCP
2025-03-07T17:26:56.581883+0100	2028765	3	Unknown Traffic	192.168.2.6	49698	95.215.206.151	443	TCP
2025-03-07T17:27:02.102183+0100	2028765	3	Unknown Traffic	192.168.2.6	49700	95.215.206.151	443	TCP
2025-03-07T17:27:05.952912+0100	2028765	3	Unknown Traffic	192.168.2.6	49701	95.215.206.151	443	TCP
2025-03-07T17:27:08.719704+0100	2028765	3	Unknown Traffic	192.168.2.6	49702	95.215.206.151	443	TCP
2025-03-07T17:27:11.675115+0100	2028765	3	Unknown Traffic	192.168.2.6	49703	95.215.206.151	443	TCP
2025-03-07T17:27:14.460123+0100	2028765	3	Unknown Traffic	192.168.2.6	49704	95.215.206.151	443	TCP
2025-03-07T17:27:17.142521+0100	2028765	3	Unknown Traffic	192.168.2.6	49705	95.215.206.151	443	TCP
2025-03-07T17:27:19.883795+0100	2028765	3	Unknown Traffic	192.168.2.6	49706	95.215.206.151	443	TCP
2025-03-07T17:27:22.590522+0100	2028765	3	Unknown Traffic	192.168.2.6	49707	95.215.206.151	443	TCP
2025-03-07T17:27:25.227720+0100	2028765	3	Unknown Traffic	192.168.2.6	49708	95.215.206.151	443	TCP
2025-03-07T17:27:28.124045+0100	2028765	3	Unknown Traffic	192.168.2.6	49709	95.215.206.151	443	TCP
2025-03-07T17:27:31.590399+0100	2028765	3	Unknown Traffic	192.168.2.6	49710	95.215.206.151	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T17:26:57.530352+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49698	95.215.206.151	443	TCP
2025-03-07T17:27:02.755883+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49700	95.215.206.151	443	TCP
2025-03-07T17:27:06.640602+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49701	95.215.206.151	443	TCP
2025-03-07T17:27:09.390750+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49702	95.215.206.151	443	TCP
2025-03-07T17:27:12.357312+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49703	95.215.206.151	443	TCP
2025-03-07T17:27:15.136438+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49704	95.215.206.151	443	TCP
2025-03-07T17:27:17.798580+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49705	95.215.206.151	443	TCP
2025-03-07T17:27:20.576440+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49706	95.215.206.151	443	TCP
2025-03-07T17:27:23.258517+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49707	95.215.206.151	443	TCP
2025-03-07T17:27:25.894338+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49708	95.215.206.151	443	TCP
2025-03-07T17:27:29.030281+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49709	95.215.206.151	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f852a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f862a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38b926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f802a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38b926d19fe6595cd66946951e91fcd85210	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f842a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f872a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f852a1cec7a86d87bdb6546ad12dac0290	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f802a1cec7a86d87bdb6546ad12dac0290	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb387926d19fe6595cd66946951e91fcd85210	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38a926d19fe6595cd66946851e91fcd85241	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb386926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38a926d19fe6595cd66946851e91fcd85241ab258d81329326be8e343a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd7d4905a40cf	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f862a1cec7a86d87bdb6546ad12dac0290	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb387926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f872a1cec7a86d87bdb6546ad12dac0290	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb389926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb388926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f812a1cec7a86d87bdb6546ad12dac0290	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb389926d19fe6595cd66946951e91fcd85210	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f842a1cec7a86d87bdb6546ad12dac0290	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb388926d19fe6595cd66946951e91fcd85210	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb386926d19fe6595cd66946951e91fcd85210	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 18%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0045D230 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,	1_2_0045D230
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0045D2E4 ArcFourCrypt,	1_2_0045D2E4
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0045D2FC ArcFourCrypt,	1_2_0045D2FC
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_10001000 ISCryptGetVersion,	1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_10001130 ArcFourCrypt,	1_2_10001130

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Unpacked PE file: 3.2.photorecoverylib.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Recovery Library_is1

Jump to behavior

Source: unknown	HTTPS traffic detected: 95.215.206.151:443 -> 192.168.2.6:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.215.206.151:443 -> 192.168.2.6:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.215.206.151:443 -> 192.168.2.6:49710 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcp100.i386.pdb source: is-C1HVB.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: is-LNT1D.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00452AD4 FindFirstFileA,GetLastError,	1_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	1_2_00475798
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00498FDC

Source: global traffic

TCP traffic: 192.168.2.6:49699 -> 193.176.153.180:2024

Source: Joe Sandbox View	IP Address: 176.113.115.96 176.113.115.96
Source: Joe Sandbox View	IP Address: 193.176.153.180 193.176.153.180

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49703 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49702 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49706 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49689 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49709 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49710 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49700 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49695 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49705 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49708 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49701 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49698 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49692 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49704 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49707 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49706 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49702 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49704 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49708 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49701 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49709 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49703 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49700 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49698 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49705 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49707 -> 95.215.206.151:443

Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38a926d19fe6595cd66946851e91fcd85241ab258d81329326be8e343a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd7d4905a40cf HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38b926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb388926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb389926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb386926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb387926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f842a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f852a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f862a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f872a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f802a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 95.215.206.151
Source: unknown	TCP traffic detected without corresponding DNS query: 95.215.206.151

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: 3_2_02EA2B95 WSASetLastError,WSARecv,WSASetLastError,select,

3_2_02EA2B95

Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38a926d19fe6595cd66946851e91fcd85241ab258d81329326be8e343a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd7d4905a40cf HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38b926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb388926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb389926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb386926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb387926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f842a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f852a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f862a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f872a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f802a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151

Source: file.tmp, 00000001.00000002.2500149346.00000000062C3000.00000004.00001000.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000000.1264689928.0000000000889000.00000002.00000001.01000000.00000009.sdmp, is-7D60U.tmp.1.dr, PhotoRecoveryLib.exe.3.dr, photorecoverylib.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: file.tmp, 00000001.00000002.2500149346.00000000062C3000.00000004.00001000.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000000.1264689928.0000000000889000.00000002.00000001.01000000.00000009.sdmp, is-7D60U.tmp.1.dr, PhotoRecoveryLib.exe.3.dr, photorecoverylib.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: file.tmp, 00000001.00000002.2500149346.00000000062C3000.00000004.00001000.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000000.1264689928.0000000000889000.00000002.00000001.01000000.00000009.sdmp, is-7D60U.tmp.1.dr, PhotoRecoveryLib.exe.3.dr, photorecoverylib.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: is-H6N3S.tmp.1.dr	String found in binary or memory: http://icu-project.org
Source: photorecoverylib.exe.1.dr	String found in binary or memory: http://nanoways.com/check/%hs
Source: file.tmp, 00000001.00000002.2500149346.00000000062C3000.00000004.00001000.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000000.1264689928.0000000000889000.00000002.00000001.01000000.00000009.sdmp, is-7D60U.tmp.1.dr, PhotoRecoveryLib.exe.3.dr, photorecoverylib.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: svchost.exe, 00000004.00000002.1373999939.000001303B013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: file.tmp, file.tmp, 00000001.00000000.1249981030.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-B53T5.tmp.1.dr	String found in binary or memory: http://www.innosetup.com/
Source: file.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: file.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: file.exe, 00000000.00000003.1249303027.0000000002258000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1249132202.0000000002480000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000000.1249981030.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-B53T5.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: file.exe, 00000000.00000003.1249303027.0000000002258000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1249132202.0000000002480000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.1249981030.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-B53T5.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/psU
Source: photorecoverylib.exe, 00000003.00000003.2150867965.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/
Source: photorecoverylib.exe, 00000003.00000003.2150867965.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/9V
Source: photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38c926d19fe6595cd66946851e91fcd85241
Source: photorecoverylib.exe, 00000003.00000003.2150867965.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38d926d19fe6595cd66946851e91fcd85241
Source: photorecoverylib.exe, 00000003.00000003.2150867965.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd85241
Source: photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/
Source: photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/#
Source: photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/5
Source: photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/BV
Source: photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/T
Source: photorecoverylib.exe, 00000003.00000002.2501325144.0000000003598000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb386926d19fe6595cd66946951e91fcd85210
Source: photorecoverylib.exe, 00000003.00000002.2501325144.000000000359A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb387926d19fe6595cd66946951e91fcd85210
Source: photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb388926d19fe6595cd66946951e91fcd85210
Source: photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb389926d19fe6595cd66946951e91fcd85210
Source: photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38a926d19fe6595cd66946851e91fcd85241
Source: photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38b926d19fe6595cd66946951e91fcd85210
Source: photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f802a1cec7a86d87bdb6546ad12dac0290
Source: photorecoverylib.exe, 00000003.00000002.2501325144.00000000035A3000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2501325144.000000000359F000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f812a1cec7a86d87bdb6546ad12dac0290
Source: photorecoverylib.exe, 00000003.00000002.2501325144.000000000359C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f842a1cec7a86d87bdb6546ad12dac0290
Source: photorecoverylib.exe, 00000003.00000002.2501325144.000000000359F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f852a1cec7a86d87bdb6546ad12dac0290
Source: photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f862a1cec7a86d87bdb6546ad12dac0290
Source: photorecoverylib.exe, 00000003.00000002.2501325144.0000000003594000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f872a1cec7a86d87bdb6546ad12dac0290
Source: photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/en-GB
Source: photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/en-US
Source: photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/priseCertificates
Source: photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/z
Source: photorecoverylib.exe, 00000003.00000003.2150867965.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/zV
Source: svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000004.00000002.1374118709.000001303B059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000004.00000003.1373558910.000001303B05A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374185234.000001303B081000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373611455.000001303B043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373447200.000001303B05E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374088762.000001303B044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000004.00000002.1374185234.000001303B081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000004.00000003.1373558910.000001303B05A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374071129.000001303B03F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374033518.000001303B02B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000004.00000002.1374071129.000001303B03F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000004.00000002.1374071129.000001303B03F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373611455.000001303B043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374088762.000001303B044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000004.00000003.1373595964.000001303B04A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000004.00000002.1374071129.000001303B03F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000004.00000003.1373611455.000001303B043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374088762.000001303B044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374033518.000001303B02B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: photorecoverylib.exe.1.dr	String found in binary or memory: https://nanoways.com/activate
Source: photorecoverylib.exe.1.dr	String found in binary or memory: https://nanoways.com/activate/?prefill=%hs
Source: photorecoverylib.exe.1.dr	String found in binary or memory: https://nanoways.com/deactivate
Source: photorecoverylib.exe.1.dr	String found in binary or memory: https://nanoways.com/deactivate/?prefill=%hs
Source: photorecoverylib.exe.1.dr	String found in binary or memory: https://nanoways.com/qr/%1
Source: svchost.exe, 00000004.00000003.1373642375.000001303B032000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak
Source: svchost.exe, 00000004.00000003.1373642375.000001303B032000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tilHS
Source: svchost.exe, 00000004.00000003.1373642375.000001303B032000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/
Source: svchost.exe, 00000004.00000003.1373611455.000001303B043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000004.00000003.1373575600.000001303B04C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373611455.000001303B043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374088762.000001303B044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000004.00000003.1373575600.000001303B04C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373611455.000001303B043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374118709.000001303B059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374088762.000001303B044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000004.00000003.1373461231.000001303B05D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000004.00000002.1374033518.000001303B02B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000004.00000002.1374118709.000001303B059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: file.tmp, 00000001.00000002.2500149346.00000000062C3000.00000004.00001000.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000000.1264689928.0000000000889000.00000002.00000001.01000000.00000009.sdmp, is-7D60U.tmp.1.dr, PhotoRecoveryLib.exe.3.dr, photorecoverylib.exe.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000002.2498709044.0000000002251000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1248732044.0000000002480000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1248823912.0000000002251000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.2499236488.0000000000850000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1251135242.0000000002268000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1251046519.0000000003170000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.2499611954.0000000002268000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.easycutstudio.com/support.html
Source: photorecoverylib.exe.1.dr	String found in binary or memory: https://www.openssl.org/docs/faq.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 95.215.206.151:443 -> 192.168.2.6:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.215.206.151:443 -> 192.168.2.6:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.215.206.151:443 -> 192.168.2.6:49710 version: TLS 1.2

System Summary

PE file has a writeable .text section

Source: photorecoverylib.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PhotoRecoveryLib.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0042F594 NtdllDefWindowProc_A,	1_2_0042F594
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00423B94 NtdllDefWindowProc_A,	1_2_00423B94
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004125E8 NtdllDefWindowProc_A,	1_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00479380 NtdllDefWindowProc_A,	1_2_00479380
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_0045763C

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Code function: 1_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E944

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_0045568C

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00470C74	1_2_00470C74
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0043533C	1_2_0043533C
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004813C4	1_2_004813C4
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00467848	1_2_00467848
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004303D0	1_2_004303D0
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0044453C	1_2_0044453C
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004885E0	1_2_004885E0
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00434638	1_2_00434638
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00444AE4	1_2_00444AE4
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0048ED0C	1_2_0048ED0C
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00430F5C	1_2_00430F5C
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0045F16C	1_2_0045F16C
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004451DC	1_2_004451DC
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0045B21C	1_2_0045B21C
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004455E8	1_2_004455E8
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00487680	1_2_00487680
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0046989C	1_2_0046989C
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00451A30	1_2_00451A30
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0043DDC4	1_2_0043DDC4
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_00401000	3_2_00401000
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_004067B7	3_2_004067B7
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_609300CC	3_2_609300CC
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_609660FA	3_2_609660FA
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6092114F	3_2_6092114F
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6091F2C9	3_2_6091F2C9
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6096923E	3_2_6096923E
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6093323D	3_2_6093323D
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6095C314	3_2_6095C314
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60950312	3_2_60950312
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6094D33B	3_2_6094D33B
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6093B368	3_2_6093B368
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6096748C	3_2_6096748C
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6093F42E	3_2_6093F42E
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60954470	3_2_60954470
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_609615FA	3_2_609615FA
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6096A5EE	3_2_6096A5EE
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6096D6A4	3_2_6096D6A4
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_609606A8	3_2_609606A8
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60932654	3_2_60932654
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60955665	3_2_60955665
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6094B7DB	3_2_6094B7DB
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60964807	3_2_60964807
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6094E9BC	3_2_6094E9BC
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60937929	3_2_60937929
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6093FAD6	3_2_6093FAD6
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6096DAE8	3_2_6096DAE8
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6094DA3A	3_2_6094DA3A
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60936B27	3_2_60936B27
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60954CF6	3_2_60954CF6
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60950C6B	3_2_60950C6B
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60966DF1	3_2_60966DF1
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60963D35	3_2_60963D35
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60909E9C	3_2_60909E9C
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60951E86	3_2_60951E86
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60912E0B	3_2_60912E0B
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60954FF8	3_2_60954FF8
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_02EBBAFD	3_2_02EBBAFD
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_02EC2A80	3_2_02EC2A80
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_02EBD32F	3_2_02EBD32F
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_02EB70C0	3_2_02EB70C0
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_02EAE089	3_2_02EAE089
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_02EC267D	3_2_02EC267D
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_02EBB609	3_2_02EBB609
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_02EB874A	3_2_02EB874A
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_02EBBF15	3_2_02EBBF15
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_02EC0DB4	3_2_02EC0DB4
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_02EDD0A6	3_2_02EDD0A6

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: String function: 00408C1C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: String function: 00406AD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: String function: 0040596C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: String function: 00407904 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: String function: 00445E48 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: String function: 00457FC4 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: String function: 00457DB8 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: String function: 00434550 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: String function: 00403494 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: String function: 004533B8 appears 98 times
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: String function: 00446118 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: String function: 00403684 appears 229 times
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: String function: 02EC2A10 appears 136 times
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: String function: 02EB7760 appears 32 times

Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: photorecoverylib.exe.1.dr	Static PE information: Resource name: RT_FILE type: PE32+ executable (console) x86-64, for MS Windows
Source: photorecoverylib.exe.1.dr	Static PE information: Resource name: RT_INST type: PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows
Source: photorecoverylib.exe.1.dr	Static PE information: Resource name: RT_INST type: PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows
Source: is-B53T5.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-B53T5.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-B53T5.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: PhotoRecoveryLib.exe.3.dr	Static PE information: Resource name: RT_FILE type: PE32+ executable (console) x86-64, for MS Windows
Source: PhotoRecoveryLib.exe.3.dr	Static PE information: Resource name: RT_INST type: PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows
Source: PhotoRecoveryLib.exe.3.dr	Static PE information: Resource name: RT_INST type: PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows

Source: sqlite3.dll.3.dr	Static PE information: Number of sections : 19 > 10
Source: is-14T6T.tmp.1.dr	Static PE information: Number of sections : 19 > 10

Source: file.exe, 00000000.00000003.1249303027.0000000002258000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.1249132202.0000000002480000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal96.troj.evad.winEXE@13/33@0/3

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: 3_2_02EAF8D0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,

3_2_02EAF8D0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_0045568C

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Code function: 1_2_00455EB4 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00455EB4

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: CloseServiceHandle,CreateServiceA,CloseServiceHandle,CloseServiceHandle,

3_2_004016EB

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Code function: 1_2_0046E5B8 GetVersion,CoCreateInstance,

1_2_0046E5B8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409C34

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: 3_2_0040DCE3 StartServiceCtrlDispatcherA,

3_2_0040DCE3

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: 3_2_0040DCE3 StartServiceCtrlDispatcherA,

3_2_0040DCE3

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:5852:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\is-DI440.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: photorecoverylib.exe, photorecoverylib.exe, 00000003.00000002.2504972535.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, photorecoverylib.exe, 00000003.00000003.1267634629.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: photorecoverylib.exe, 00000003.00000002.2504972535.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, photorecoverylib.exe, 00000003.00000003.1267634629.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: photorecoverylib.exe, photorecoverylib.exe, 00000003.00000002.2504972535.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, photorecoverylib.exe, 00000003.00000003.1267634629.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: photorecoverylib.exe, 00000003.00000002.2504972535.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, photorecoverylib.exe, 00000003.00000003.1267634629.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: photorecoverylib.exe, 00000003.00000002.2504972535.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, photorecoverylib.exe, 00000003.00000003.1267634629.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: photorecoverylib.exe, 00000003.00000002.2504972535.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, photorecoverylib.exe, 00000003.00000003.1267634629.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: photorecoverylib.exe, 00000003.00000002.2504972535.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, photorecoverylib.exe, 00000003.00000003.1267634629.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: photorecoverylib.exe, 00000003.00000002.2504972535.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, photorecoverylib.exe, 00000003.00000003.1267634629.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: photorecoverylib.exe, 00000003.00000002.2504972535.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, photorecoverylib.exe, 00000003.00000003.1267634629.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: photorecoverylib.exe, 00000003.00000002.2504972535.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, photorecoverylib.exe, 00000003.00000003.1267634629.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: photorecoverylib.exe, 00000003.00000002.2504972535.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, photorecoverylib.exe, 00000003.00000003.1267634629.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: photorecoverylib.exe, photorecoverylib.exe, 00000003.00000002.2504972535.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, photorecoverylib.exe, 00000003.00000003.1267634629.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: file.exe

Virustotal: Detection: 18%

Source: file.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: file.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp" /SL5="$403C0,4337550,56832,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Process created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe "C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe" -i
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp" /SL5="$403C0,4337550,56832,C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Process created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe "C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe" -i	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsusershared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Recovery Library_is1

Jump to behavior

Source: file.exe

Static file information: File size 4588286 > 1048576

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcp100.i386.pdb source: is-C1HVB.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: is-LNT1D.tmp.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Unpacked PE file: 3.2.photorecoverylib.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Unpacked PE file: 3.2.photorecoverylib.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Code function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450334

Source: is-14T6T.tmp.1.dr	Static PE information: section name: /4
Source: is-14T6T.tmp.1.dr	Static PE information: section name: /19
Source: is-14T6T.tmp.1.dr	Static PE information: section name: /35
Source: is-14T6T.tmp.1.dr	Static PE information: section name: /51
Source: is-14T6T.tmp.1.dr	Static PE information: section name: /63
Source: is-14T6T.tmp.1.dr	Static PE information: section name: /77
Source: is-14T6T.tmp.1.dr	Static PE information: section name: /89
Source: is-14T6T.tmp.1.dr	Static PE information: section name: /102
Source: is-14T6T.tmp.1.dr	Static PE information: section name: /113
Source: is-14T6T.tmp.1.dr	Static PE information: section name: /124
Source: sqlite3.dll.3.dr	Static PE information: section name: /4
Source: sqlite3.dll.3.dr	Static PE information: section name: /19
Source: sqlite3.dll.3.dr	Static PE information: section name: /35
Source: sqlite3.dll.3.dr	Static PE information: section name: /51
Source: sqlite3.dll.3.dr	Static PE information: section name: /63
Source: sqlite3.dll.3.dr	Static PE information: section name: /77
Source: sqlite3.dll.3.dr	Static PE information: section name: /89
Source: sqlite3.dll.3.dr	Static PE information: section name: /102
Source: sqlite3.dll.3.dr	Static PE information: section name: /113
Source: sqlite3.dll.3.dr	Static PE information: section name: /124

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004065C8 push 00406605h; ret	0_2_004065FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004849F4 push 00484B02h; ret	1_2_00484AFA
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0040995C push 00409999h; ret	1_2_00409991
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00458060 push 00458098h; ret	1_2_00458090
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004860E4 push ecx; mov dword ptr [esp], ecx	1_2_004860E9
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004062C4 push ecx; mov dword ptr [esp], eax	1_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004783C8 push ecx; mov dword ptr [esp], edx	1_2_004783C9
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004104F0 push ecx; mov dword ptr [esp], edx	1_2_004104F5
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00412938 push 0041299Bh; ret	1_2_00412993
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0049AD44 pushad ; retf	1_2_0049AD53
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0040CE48 push ecx; mov dword ptr [esp], edx	1_2_0040CE4A
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00459378 push 004593BCh; ret	1_2_004593B4
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0040F3A8 push ecx; mov dword ptr [esp], edx	1_2_0040F3AA
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004434B4 push ecx; mov dword ptr [esp], ecx	1_2_004434B8
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0045186C push 0045189Fh; ret	1_2_00451897
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00451A30 push ecx; mov dword ptr [esp], eax	1_2_00451A35
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00495BE4 push ecx; mov dword ptr [esp], ecx	1_2_00495BE9
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00419C38 push ecx; mov dword ptr [esp], ecx	1_2_00419C3D

Source: is-LNT1D.tmp.1.dr

Static PE information: section name: .text entropy: 6.90903234258047

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0

3_2_02EAE8B2

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuuc51.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcp100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-H6N3S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\is-B53T5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcr100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-9996L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	File created: C:\ProgramData\PhotoRecoveryLib\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-QLH2J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-C1HVB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-LNT1D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5Concurrent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-14T6T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-IL7S9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	File created: C:\ProgramData\PhotoRecoveryLib\PhotoRecoveryLib.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-PD4F0.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-PD4F0.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libGLESv2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-P53L8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-ORIAL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuin51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-PD4F0.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	File created: C:\ProgramData\PhotoRecoveryLib\PhotoRecoveryLib.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	File created: C:\ProgramData\PhotoRecoveryLib\sqlite3.dll			Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0

3_2_02EAE8B2

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: 3_2_0040DCE3 StartServiceCtrlDispatcherA,

3_2_0040DCE3

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,	1_2_004241EC
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004241A4 IsIconic,SetActiveWindow,	1_2_004241A4
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418394
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004843A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_004843A8
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0042286C
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0042F2F0 IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	1_2_0042F2F0
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004175A8 IsIconic,GetCapture,	1_2_004175A8
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00417CDE IsIconic,SetWindowPos,	1_2_00417CDE
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CE0

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Code function: 1_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0041F128

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,

3_2_02EAE9B6

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Window / User API: threadDelayed 9790

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuuc51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcp100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-H6N3S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\is-B53T5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcr100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-9996L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PD4F0.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PD4F0.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libGLESv2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-QLH2J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-P53L8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-C1HVB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-ORIAL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-LNT1D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuin51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PD4F0.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5Concurrent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-14T6T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-IL7S9.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5967

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

API coverage: 4.6 %

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe TID: 7120	Thread sleep count: 157 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe TID: 7120	Thread sleep time: -314000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe TID: 5948	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe TID: 7120	Thread sleep count: 9790 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe TID: 7120	Thread sleep time: -19580000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00452AD4 FindFirstFileA,GetLastError,	1_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	1_2_00475798
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: 1_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00498FDC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B78

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: svchost.exe, 00000006.00000002.2498851045.0000012E14642000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000006.00000002.2498990879.0000012E14682000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000006.00000002.2498851045.0000012E1462B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000006.00000002.2498851045.0000012E14642000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D: @
Source: photorecoverylib.exe, 00000003.00000002.2501325144.0000000003542000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.2498751207.0000012E14602000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000006.00000002.2498851045.0000012E1462B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
Source: svchost.exe, 00000006.00000002.2499159644.0000012E14702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000006.00000002.2498851045.0000012E14642000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000006.00000002.2498925437.0000012E14653000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
Source: photorecoverylib.exe, 00000003.00000002.2499399932.0000000000B88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP]T

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node			graph_0-6764
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	API call chain: ExitProcess graph end node			graph_3-61370

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: 3_2_02EB3A08 _memset,IsDebuggerPresent,

3_2_02EB3A08

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: 3_2_02EBE6BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

3_2_02EBE6BE

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Code function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450334

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: 3_2_02EA5E59 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,

3_2_02EA5E59

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: 3_2_02EB80E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_02EB80E8

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Code function: 1_2_00478DC4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00478DC4

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Code function: 1_2_0042EE28 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,

1_2_0042EE28

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Code function: 1_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042E0AC

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Code function: 3_2_02EAE86A cpuid

3_2_02EAE86A

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_0040520C
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: GetLocaleInfoA,	1_2_00408578
Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	Code function: GetLocaleInfoA,	1_2_004085C4

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Code function: 1_2_00458670 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_00458670

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Code function: 1_2_00455644 GetUserNameA,

1_2_00455644

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405CF4 GetVersionExA,

0_2_00405CF4

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 00000008.00000002.2499876682.000001E6F3F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000008.00000002.2499876682.000001E6F3F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Socks5Systemz

Source: Yara match	File source: 00000003.00000002.2500792811.0000000002EA1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2500659420.0000000002E04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: photorecoverylib.exe PID: 7116, type: MEMORYSTR

Remote Access Functionality

Yara detected Socks5Systemz

Source: Yara match	File source: 00000003.00000002.2500792811.0000000002EA1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2500659420.0000000002E04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: photorecoverylib.exe PID: 7116, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,	3_2_609660FA
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,	3_2_6090C1D6
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,	3_2_60963143
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	3_2_6096A2BD
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,	3_2_6096923E
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,	3_2_6096A38C
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,	3_2_6096748C
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,	3_2_609254B1
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	3_2_6094B407
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6090F435 sqlite3_bind_parameter_index,	3_2_6090F435
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,	3_2_609255D4
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_609255FF sqlite3_bind_text,	3_2_609255FF
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,	3_2_6096A5EE
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,	3_2_6094B54C
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,	3_2_60925686
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,	3_2_6094A6C5
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,	3_2_609256E5
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,	3_2_6094B6ED
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6092562A sqlite3_bind_blob,	3_2_6092562A
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,	3_2_60925655
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	3_2_6094C64A
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,	3_2_609687A7
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	3_2_6095F7F7
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,	3_2_6092570B
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	3_2_6095F772
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,	3_2_60925778
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6090577D sqlite3_bind_parameter_name,	3_2_6090577D
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,	3_2_6094B764
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6090576B sqlite3_bind_parameter_count,	3_2_6090576B
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	3_2_6094A894
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	3_2_6095F883
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,	3_2_6094C8C2
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,	3_2_6096281E
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,	3_2_6096583A
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,	3_2_6095F9AD
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	3_2_6094A92B
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6090EAE5 sqlite3_transfer_bindings,	3_2_6090EAE5
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	3_2_6095FB98
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,	3_2_6095ECA6
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	3_2_6095FCCE
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,	3_2_6095FDAE
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,	3_2_60966DF1
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,	3_2_60969D75
Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe	Code function: 3_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	3_2_6095FFB2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	5 Windows Service	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Bootkit	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	Login Hook	5 Windows Service	21 Software Packing	NTDS	46 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 DLL Side-Loading	LSA Secrets	71 Security Software Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Bootkit	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	18%	Virustotal		Browse
file.exe	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\ProgramData\PhotoRecoveryLib\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5Concurrent.dll (copy)	4%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5PrintSupport.dll (copy)	4%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuin51.dll (copy)	2%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuuc51.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-14T6T.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-9996L.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-C1HVB.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-H6N3S.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-IL7S9.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-LNT1D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-ORIAL.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-P53L8.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-QLH2J.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libEGL.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libGLESv2.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcp100.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcr100.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\sqlite3.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\is-B53T5.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\unins000.exe (copy)	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PD4F0.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PD4F0.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PD4F0.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://176.113.115.96/9V	0%	Avira URL Cloud	safe
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	0%	Avira URL Cloud	safe
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f852a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f862a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	100%	Avira URL Cloud	malware
https://nanoways.com/qr/%1	0%	Avira URL Cloud	safe
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38b926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f802a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38b926d19fe6595cd66946951e91fcd85210	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f842a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f872a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	100%	Avira URL Cloud	malware
https://95.215.206.151/z	0%	Avira URL Cloud	safe
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f852a1cec7a86d87bdb6546ad12dac0290	100%	Avira URL Cloud	malware
https://nanoways.com/activate	0%	Avira URL Cloud	safe
https://nanoways.com/deactivate	0%	Avira URL Cloud	safe
https://95.215.206.151/	0%	Avira URL Cloud	safe
https://95.215.206.151/en-US	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38d926d19fe6595cd66946851e91fcd85241	0%	Avira URL Cloud	safe
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f802a1cec7a86d87bdb6546ad12dac0290	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb387926d19fe6595cd66946951e91fcd85210	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38a926d19fe6595cd66946851e91fcd85241	100%	Avira URL Cloud	malware
https://95.215.206.151/zV	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd85241	0%	Avira URL Cloud	safe
http://www.bingmapsportal.com	0%	Avira URL Cloud	safe
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb386926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38a926d19fe6595cd66946851e91fcd85241ab258d81329326be8e343a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd7d4905a40cf	100%	Avira URL Cloud	malware
https://95.215.206.151/T	0%	Avira URL Cloud	safe
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f862a1cec7a86d87bdb6546ad12dac0290	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb387926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f872a1cec7a86d87bdb6546ad12dac0290	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb389926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb388926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	100%	Avira URL Cloud	malware
https://t0.ssl.ak	0%	Avira URL Cloud	safe
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f812a1cec7a86d87bdb6546ad12dac0290	100%	Avira URL Cloud	malware
https://95.215.206.151/5	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tilHS	0%	Avira URL Cloud	safe
https://nanoways.com/activate/?prefill=%hs	0%	Avira URL Cloud	safe
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb389926d19fe6595cd66946951e91fcd85210	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f842a1cec7a86d87bdb6546ad12dac0290	100%	Avira URL Cloud	malware
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb388926d19fe6595cd66946951e91fcd85210	100%	Avira URL Cloud	malware
https://nanoways.com/deactivate/?prefill=%hs	0%	Avira URL Cloud	safe
https://95.215.206.151/en-GB	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	0%	Avira URL Cloud	safe
http://www.remobjects.com/psU	0%	Avira URL Cloud	safe
https://95.215.206.151/priseCertificates	0%	Avira URL Cloud	safe
https://95.215.206.151/BV	0%	Avira URL Cloud	safe
https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38c926d19fe6595cd66946851e91fcd85241	0%	Avira URL Cloud	safe
https://dynamic.t	0%	Avira URL Cloud	safe
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb386926d19fe6595cd66946951e91fcd85210	100%	Avira URL Cloud	malware
https://95.215.206.151/#	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	0%	Avira URL Cloud	safe
http://nanoways.com/check/%hs	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38b926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	true	Avira URL Cloud: malware	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f852a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	true	Avira URL Cloud: malware	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f842a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	true	Avira URL Cloud: malware	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f862a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	true	Avira URL Cloud: malware	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f872a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	false	Avira URL Cloud: malware	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f802a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500	true	Avira URL Cloud: malware	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38a926d19fe6595cd66946851e91fcd85241ab258d81329326be8e343a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd7d4905a40cf	false	Avira URL Cloud: malware	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb387926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	false	Avira URL Cloud: malware	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb386926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	false	Avira URL Cloud: malware	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb389926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	false	Avira URL Cloud: malware	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb388926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://176.113.115.96/9V	photorecoverylib.exe, 00000003.00000003.2150867965.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000004.00000003.1373611455.000001303B043000.00000004.00000020.00020000.00000000.sdmp	false		high
https://176.113.115.96/	photorecoverylib.exe, 00000003.00000003.2150867965.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nanoways.com/qr/%1	photorecoverylib.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	file.exe	false	Avira URL Cloud: safe	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38b926d19fe6595cd66946951e91fcd85210	photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.215.206.151/z	photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f802a1cec7a86d87bdb6546ad12dac0290	photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000004.00000003.1373558910.000001303B05A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374185234.000001303B081000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373611455.000001303B043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373447200.000001303B05E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374088762.000001303B044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000004.00000002.1374033518.000001303B02B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.215.206.151/en-US	photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38a926d19fe6595cd66946851e91fcd85241	photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000004.00000002.1374071129.000001303B03F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nanoways.com/activate	photorecoverylib.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://nanoways.com/deactivate	photorecoverylib.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38d926d19fe6595cd66946851e91fcd85241	photorecoverylib.exe, 00000003.00000003.2150867965.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb387926d19fe6595cd66946951e91fcd85210	photorecoverylib.exe, 00000003.00000002.2501325144.000000000359A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f852a1cec7a86d87bdb6546ad12dac0290	photorecoverylib.exe, 00000003.00000002.2501325144.000000000359F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://95.215.206.151/	photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.215.206.151/zV	photorecoverylib.exe, 00000003.00000003.2150867965.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd85241	photorecoverylib.exe, 00000003.00000003.2150867965.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bingmapsportal.com	svchost.exe, 00000004.00000002.1373999939.000001303B013000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000004.00000003.1373558910.000001303B05A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374071129.000001303B03F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.215.206.151/T	photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f862a1cec7a86d87bdb6546ad12dac0290	photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374033518.000001303B02B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.innosetup.com/	file.tmp, file.tmp, 00000001.00000000.1249981030.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-B53T5.tmp.1.dr	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000004.00000003.1373461231.000001303B05D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.openssl.org/docs/faq.html	photorecoverylib.exe.1.dr	false		high
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f872a1cec7a86d87bdb6546ad12dac0290	photorecoverylib.exe, 00000003.00000002.2501325144.0000000003594000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000004.00000002.1374185234.000001303B081000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374033518.000001303B02B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000004.00000002.1374071129.000001303B03F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f812a1cec7a86d87bdb6546ad12dac0290	photorecoverylib.exe, 00000003.00000002.2501325144.00000000035A3000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2501325144.000000000359F000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t0.ssl.ak	svchost.exe, 00000004.00000003.1373642375.000001303B032000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000004.00000003.1373575600.000001303B04C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373611455.000001303B043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374118709.000001303B059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374088762.000001303B044000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	file.exe	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 00000004.00000003.1373611455.000001303B043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374088762.000001303B044000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373611455.000001303B043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374088762.000001303B044000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nanoways.com/activate/?prefill=%hs	photorecoverylib.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000004.00000003.1373575600.000001303B04C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373611455.000001303B043000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1374088762.000001303B044000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.215.206.151/5	photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb388926d19fe6595cd66946951e91fcd85210	photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb389926d19fe6595cd66946951e91fcd85210	photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
http://icu-project.org	is-H6N3S.tmp.1.dr	false		high
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000004.00000002.1374118709.000001303B059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f842a1cec7a86d87bdb6546ad12dac0290	photorecoverylib.exe, 00000003.00000002.2501325144.000000000359C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t0.ssl.ak.dynamic.tilHS	svchost.exe, 00000004.00000003.1373642375.000001303B032000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nanoways.com/deactivate/?prefill=%hs	photorecoverylib.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/	svchost.exe, 00000004.00000003.1373642375.000001303B032000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.215.206.151/en-GB	photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000004.00000002.1374071129.000001303B03F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.215.206.151/priseCertificates	photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/psU	file.exe, 00000000.00000003.1249303027.0000000002258000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1249132202.0000000002480000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.1249981030.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-B53T5.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://95.215.206.151/BV	photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t	svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38c926d19fe6595cd66946851e91fcd85241	photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.215.206.151/ai/?key=8f3f2b3ae14615677411efa3231678fbb386926d19fe6595cd66946951e91fcd85210	photorecoverylib.exe, 00000003.00000002.2501325144.0000000003598000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 00000003.00000002.2499399932.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://95.215.206.151/#	photorecoverylib.exe, 00000003.00000002.2501325144.000000000354E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 00000004.00000002.1374118709.000001303B059000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000004.00000002.1374154196.000001303B063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/ps	file.exe, 00000000.00000003.1249303027.0000000002258000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1249132202.0000000002480000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000000.1249981030.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-B53T5.tmp.1.dr	false		high
https://www.easycutstudio.com/support.html	file.exe, 00000000.00000002.2498709044.0000000002251000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1248732044.0000000002480000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1248823912.0000000002251000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.2499236488.0000000000850000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1251135242.0000000002268000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1251046519.0000000003170000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.2499611954.0000000002268000.00000004.00001000.00020000.00000000.sdmp	false		high
http://nanoways.com/check/%hs	photorecoverylib.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000004.00000003.1373475716.000001303B058000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000004.00000003.1373595964.000001303B04A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1373356201.000001303B062000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
176.113.115.96	unknown	Russian Federation	49505	SELECTELRU	false
193.176.153.180	unknown	unknown	207451	AGROSVITUA	false
95.215.206.151	unknown	Ukraine	204601	ON-LINE-DATAServerlocation-NetherlandsDrontenNL	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1631926
Start date and time:	2025-03-07 17:24:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@13/33@0/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 193 Number of non-executed functions: 268
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:26:00	API Interceptor	450678x Sleep call for process: photorecoverylib.exe modified
11:26:27	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
176.113.115.96	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse
	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse
	soft.exe	Get hash	malicious	GCleaner, LummaC Stealer, Socks5Systemz	Browse
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	silk.exe	Get hash	malicious	Socks5Systemz	Browse
	silk.exe	Get hash	malicious	Socks5Systemz	Browse
	random.exe	Get hash	malicious	GCleaner, LummaC Stealer, Socks5Systemz	Browse
193.176.153.180	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	silk.exe	Get hash	malicious	Socks5Systemz	Browse
	mix.exe	Get hash	malicious	Socks5Systemz	Browse
	mix.exe	Get hash	malicious	Socks5Systemz	Browse
	KFkv0LwVHW.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, GCleaner, LummaC Stealer, PureLog Stealer, RedLine	Browse
	random.exe	Get hash	malicious	Amadey, Cryptbot, Socks5Systemz	Browse
	random.exe	Get hash	malicious	Socks5Systemz	Browse
	AApUa7VQiy.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Socks5Systemz, Stealc, Vidar	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ON-LINE-DATAServerlocation-NetherlandsDrontenNL	5c9465cda4.exe	Get hash	malicious	Amadey, GCleaner, LiteHTTP Bot, LummaC Stealer, Mint Stealer, PureLog Stealer, Stealc	Browse	45.91.200.135
	random(5).exe	Get hash	malicious	GCleaner	Browse	45.91.200.135
	random(1).exe	Get hash	malicious	GCleaner	Browse	45.91.200.135
	xIwQcY1fc4.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer	Browse	45.91.200.135
	d5Wai5fIAK.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	45.91.200.135
	random.exe	Get hash	malicious	Amadey, Credential Flusher, GCleaner, LummaC Stealer, Stealc	Browse	45.91.200.135
	random.exe	Get hash	malicious	GCleaner	Browse	45.91.200.135
	random.exe	Get hash	malicious	GCleaner	Browse	45.91.200.135
	soft.exe	Get hash	malicious	GCleaner, LummaC Stealer, Socks5Systemz	Browse	45.91.200.135
	Gm04IlvE4d.exe	Get hash	malicious	GCleaner	Browse	45.91.200.135
AGROSVITUA	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse	193.176.153.180
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse	193.176.153.180
	file.exe	Get hash	malicious	Socks5Systemz	Browse	193.176.153.180
	silk.exe	Get hash	malicious	Socks5Systemz	Browse	193.176.153.180
	mix.exe	Get hash	malicious	Socks5Systemz	Browse	193.176.153.180
	mix.exe	Get hash	malicious	Socks5Systemz	Browse	193.176.153.180
	KFkv0LwVHW.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, GCleaner, LummaC Stealer, PureLog Stealer, RedLine	Browse	193.176.153.180
	random.exe	Get hash	malicious	Amadey, Cryptbot, Socks5Systemz	Browse	193.176.153.180
	random.exe	Get hash	malicious	Socks5Systemz	Browse	193.176.153.180
	AApUa7VQiy.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Socks5Systemz, Stealc, Vidar	Browse	193.176.153.180
SELECTELRU	nabmpsl.elf	Get hash	malicious	Unknown	Browse	45.10.108.219
	NIwz1MK5d8.exe	Get hash	malicious	Amadey	Browse	176.113.115.6
	https://cdn.discordapp.com/attachments/1208290127424528417/1347131831350464562/mzSeCT06HitK85Fb.exe?ex=67cab5c9&is=67c96449&hm=1f5dd426eb7614f3776b7dafbe51534751657ba41ccf0472c966fb8b5a3984a3&	Get hash	malicious	Unknown	Browse	5.178.87.202
	5c9465cda4.exe	Get hash	malicious	Amadey, GCleaner, LiteHTTP Bot, LummaC Stealer, Mint Stealer, PureLog Stealer, Stealc	Browse	176.113.115.6
	GMOgZgNpNu.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	176.113.115.6
	xIwQcY1fc4.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer	Browse	176.113.115.6
	zPlhdcABwL.exe	Get hash	malicious	Amadey	Browse	176.113.115.6
	d5Wai5fIAK.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	176.113.115.6
	2raqmphRKT.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer	Browse	176.113.115.6
	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse	176.113.115.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse	95.215.206.151
	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse	95.215.206.151
	xn3nGSFdRn.exe	Get hash	malicious	Vidar	Browse	95.215.206.151
	soft.exe	Get hash	malicious	GCleaner, LummaC Stealer, Socks5Systemz	Browse	95.215.206.151
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse	95.215.206.151
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse	95.215.206.151
	file.exe	Get hash	malicious	Socks5Systemz	Browse	95.215.206.151
	file.exe	Get hash	malicious	Socks5Systemz	Browse	95.215.206.151
	yMwA2Hcj3Q.dll	Get hash	malicious	CobaltStrike, Metasploit	Browse	95.215.206.151
	server.exe	Get hash	malicious	Ursnif	Browse	95.215.206.151

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\PhotoRecoveryLib\sqlite3.dll	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse
	tKBxw8eOIV.exe	Get hash	malicious	Socks5Systemz	Browse
	soft.exe	Get hash	malicious	GCleaner, LummaC Stealer, Socks5Systemz	Browse
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse
	9uWGaRcOv8.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	file.exe	Get hash	malicious	Socks5Systemz	Browse
	silk.exe	Get hash	malicious	Socks5Systemz	Browse
	silk.exe	Get hash	malicious	Socks5Systemz	Browse
	1w5RpHuliE.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoader, Vidar	Browse

Created / dropped Files

C:\ProgramData\GV73it54.dat

Download File

Process:	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:6Ctl:6Wl
MD5:	C97D9030410D74CA309F72C55FAE7EF3
SHA1:	F4DD53F28E6BC3C027BB7A4A506944CB9EF7582C
SHA-256:	715E70C515C9773278911AC3FA337C1CB7B69ED4EF35EB44DD94978B2758C17D
SHA-512:	259197612FACD1816E89EFEAF900CB5ACD85E91FF082462266317123A478DCA77092878E5819A4032DDE0FEDFB461896DB26562CF79DA2CA91C14EF4313F1D1B
Malicious:	false
Reputation:	low
Preview:	2..g....

C:\ProgramData\GV73rc54.dat

Download File

Process:	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:F:F
MD5:	41883520C3071F5F4A4A4613FB005E0C
SHA1:	EB408DDC4FA484E6BEFDF5954E56A2198C7A9FAB
SHA-256:	075DE2B906DBD7066DA008CAB735BEE896370154603579A50122F9B88545BD45
SHA-512:	06413632D92ADEF2CC36AF89F348749F7C846900EC0ED41225AC2DAB571E230AAE6505B9F3095B22FABFB10C2F08CE267E4E58588A7CE64F38562079FE6E8A12
Malicious:	false
Reputation:	low
Preview:	....

C:\ProgramData\GV73resa.dat

Download File

Process:	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	2.951914235012335
Encrypted:	false
SSDEEP:	3:ZoeGqdhHzXDBdUBWetxt:kq3HzX3UFx
MD5:	DD1ADC2BD780F3D8A4D52C8F148CCC77
SHA1:	E1920FE88E516FEEE3573E21D3914784A6367AE9
SHA-256:	5D08D3AC6C11A03519DCBD53D0FFBCAC8FD0099A8FB525760FDEB5DE11BEC463
SHA-512:	D4E83054B8033D52B42352BA425DE086A22119A854DB1A35C51433E392FDC10082AFB8675958CF897E27F06862865DCE861FAC1175B90DDF51AEAF94C368943F
Malicious:	false
Preview:	1eb2b8720110dff756582a45e74bb62f518d3799011c89eb7c719048e83fac56................................................................

C:\ProgramData\PhotoRecoveryLib\PhotoRecoveryLib.exe

Download File

Process:	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5345280
Entropy (8bit):	6.63948529168088
Encrypted:	false
SSDEEP:	98304:lR+3fIUMIN/0pG6dDIBCZP/qr3zRgTiSZlWWqp9ebFP+m:b9Rc6dkgZPY2zZH896FP+m
MD5:	84FDC770D4A9ECD786E59A0C9F7F9C26
SHA1:	8B8FFADE1B9E72AFC8FB6F8B456EEEC92B051F5C
SHA-256:	64458D205E25C3D036172AE30C7C2D214ECF0EAE5BFE18BD99E7011E94748B8E
SHA-512:	1779C4FCB4B96A9FE9277E86F51181055D0903296BEBA5DD99523F9F06F3191807983648139198A82D894370F85684346E6E53AC68AB7DE5C5CAE78EB861C0E0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L......g..................#..:.......?#.......#...@...........................Q.....$eR.....................................t.#.T....`$.h.-...........................................................................#..............................text.....#.......#.................`....rdata...D....#..F....#.............@..@.data...xc....#..0....#.............@....rsrc.....-..`$...-...$.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\PhotoRecoveryLib\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: tKBxw8eOIV.exe, Detection: malicious, Browse Filename: tKBxw8eOIV.exe, Detection: malicious, Browse Filename: soft.exe, Detection: malicious, Browse Filename: 9uWGaRcOv8.exe, Detection: malicious, Browse Filename: 9uWGaRcOv8.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: silk.exe, Detection: malicious, Browse Filename: silk.exe, Detection: malicious, Browse Filename: 1w5RpHuliE.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5Concurrent.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.996483336647155
Encrypted:	false
SSDEEP:	384:lLKSmUAPRD6PA/GKge44+4yif7DOnFPV5kzaOCSSZ:IVH/D4z4yG7DOnFdKaO6Z
MD5:	C5735F75847667E33A6B2D5E50D19C6F
SHA1:	D2C5952138FA5A246EC5900C9E680E7AEAF099AF
SHA-256:	32B0ACDF551507B4A8B9BD0467BEFDC2539C776E3F48221F0B577499F6EAE616
SHA-512:	DA961258A682C732F0A480EE7220D74B4511FA5313FB3BF0ACAF07AA42FA7410F3EE1A83C221C995854C2919286676F346A45CD278E1D1929E0164155F6D98F5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................^....v.U......S......g......Q..............f......V......W......P....Rich...........................PE..L......Q...........!..... ...$.......(.......0.....f.................................$....@..........................?......L6..P....`..,....................p......................................x1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........P.......<..............@....rsrc...,....`.......>..............@..@.reloc.......p.......D..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5PrintSupport.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	226304
Entropy (8bit):	6.833378525054972
Encrypted:	false
SSDEEP:	6144:dN8sMIcF8WExUx855gVPXQj5zxXhvRrxVEYnRWmgZvgiLMOnf:dNL9e8W4UMiV
MD5:	0E2C47A16BC8ED754E810FEAEFF64E0D
SHA1:	7C23F3C5DD8E613DB1B426FAE98D0FDC0226068E
SHA-256:	FF6507A53076A9C33D7AE07CDE0E876E1AD5B81A2DA18EBDC24608E79B4BBF0E
SHA-512:	9A2D9EDF5C3959E0D463161D9DB0C7457741785F7FE4E76097D13D24F6E566D50CCC3DC1BCFF6872AC52577F74CFEB957A03242B5565E333C0679E6D79D5A07B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........j...j...j...$*..j....,..j.......j.......j....!..j...j...i.......j....)..j....(..j..../..j..Rich.j..........PE..L......Q...........!.....V..........&^.......p......................................4.....@.............................&S..\P.......`..0....................p...(...................................:..@............p..0............................text...;U.......V.................. ..`.rdata..&....p.......Z..............@..@.data...\|....P.......2..............@....rsrc...0....`.......<..............@..@.reloc...0...p...2...B..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuin51.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1767424
Entropy (8bit):	6.502501235310596
Encrypted:	false
SSDEEP:	24576:7GWPHUAzlcNk0BjXxOKWf8e4VY/+AnattjtpKFJ/t:FPHUGOkIxOKW5OXlKHV
MD5:	A7F201C0B9AC05E950ECC55D4403EC16
SHA1:	20B5B9AEFD27B11BD129AF6BF362D11DFFAFA5E5
SHA-256:	173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA
SHA-512:	0D3B3A3F2D5C39B7309943591E51587C1DB4BFC70EA5B0FD4A9016AACF0CA9DFA69040E6D74E1B9424FD8E41B3B3E22AB5D7C5352AF6C216E491EDEC78C612D7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J:...[...[...[...#...[.......[..a-...[..a-...[...[..!X..a-6..[..a-7..[..a-...[..a-...[..a-...[..Rich.[..................PE..L....VuQ...........!.....4..........6L.......P.....J.........................P............@.............................#...$'..d.... ..X....................0..<....................................4..@............P...............................text....2.......4.................. ..`.rdata...s...P...t...8..............@..@.data....K.......*..................@....rsrc...X.... ......................@..@.reloc..B....0......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuuc51.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1295872
Entropy (8bit):	6.469213828080914
Encrypted:	false
SSDEEP:	24576:DCYW9S/7mMcs50Mf+Av1gQp3Y6ZBGB6riFv9Kk2HPmOh:DCw/8s0IaQp3Y6ZBj+Kf
MD5:	DAE4100039A943128C34BA3E05F6CD02
SHA1:	22B25C997C8204CA104CB72D98BC7FE57EA02B48
SHA-256:	2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA
SHA-512:	5155B812AFECDDFCC904AD403D04DD060D284A2E9A9A0B26CCC96FB593801176BE2BA69FFD2FA2A6F246A84F6DC824F042ADACA7E8C1D3D57AAE3FC62C2C24E1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tN6.0/X.0/X.0/X.a..1/X._Y..9/X.9W..4/X._Y..5/X.0/Y.U/X._Y..s/X._Y..L/X._Y..1/X._Y..1/X._Y..1/X.Rich0/X.........PE..L....VuQ...........!.....4..........^........P.....J.........................0............@..........................r.......i..d.......X........................[......................................@............P...............................text....2.......4.................. ..`.rdata..i....P.......8..............@..@.data....;...p.......J..............@....rsrc...X............Z..............@..@.reloc..4d.......f...`..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-14T6T.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-7D60U.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	data
Category:	dropped
Size (bytes):	5345280
Entropy (8bit):	6.6394851843226155
Encrypted:	false
SSDEEP:	98304:wR+3fIUMIN/0pG6dDIBCZP/qr3zRgTiSZlWWqp9ebFP+m:89Rc6dkgZPY2zZH896FP+m
MD5:	F5C1A595056C648BBF0E4E04B231C311
SHA1:	D2BB9696E2A772D89ACA2D2980177AA7054A83DF
SHA-256:	6095188076A590D8114798D7C9466A3888A38C2EC36D638BC3E4ECC620B9B187
SHA-512:	1A101C1BF9B77534568E57BB7030A40EF89798CC8DAE1CC710AC21CD386A7A1491B965B808878CBBAED4A80BF936E90251AD475DD15B5E8BCC467D06CF9B4C84
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L......g..................#..:.......?#.......#...@...........................Q.....$eR.....................................t.#.T....`$.h.-...........................................................................#..............................text.....#.......#.................`....rdata...D....#..F....#.............@..@.data...xc....#..0....#.............@....rsrc.....-..`$...-...$.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-9996L.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	226304
Entropy (8bit):	6.833378525054972
Encrypted:	false
SSDEEP:	6144:dN8sMIcF8WExUx855gVPXQj5zxXhvRrxVEYnRWmgZvgiLMOnf:dNL9e8W4UMiV
MD5:	0E2C47A16BC8ED754E810FEAEFF64E0D
SHA1:	7C23F3C5DD8E613DB1B426FAE98D0FDC0226068E
SHA-256:	FF6507A53076A9C33D7AE07CDE0E876E1AD5B81A2DA18EBDC24608E79B4BBF0E
SHA-512:	9A2D9EDF5C3959E0D463161D9DB0C7457741785F7FE4E76097D13D24F6E566D50CCC3DC1BCFF6872AC52577F74CFEB957A03242B5565E333C0679E6D79D5A07B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........j...j...j...$*..j....,..j.......j.......j....!..j...j...i.......j....)..j....(..j..../..j..Rich.j..........PE..L......Q...........!.....V..........&^.......p......................................4.....@.............................&S..\P.......`..0....................p...(...................................:..@............p..0............................text...;U.......V.................. ..`.rdata..&....p.......Z..............@..@.data...\|....P.......2..............@....rsrc...0....`.......<..............@..@.reloc...0...p...2...B..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-C1HVB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	421200
Entropy (8bit):	6.595802017835318
Encrypted:	false
SSDEEP:	12288:zNb8zxr1aWPaHX7dGP57rhUgiW6QR7t5qv3Ooc8UHkC2ejGH:zNb8Fpa6aHX7dGP5Kv3Ooc8UHkC2eKH
MD5:	E3C817F7FE44CC870ECDBCBC3EA36132
SHA1:	2ADA702A0C143A7AE39B7DE16A4B5CC994D2548B
SHA-256:	D769FAFA2B3232DE9FA7153212BA287F68E745257F1C00FAFB511E7A02DE7ADF
SHA-512:	4FCF3FCDD27C97A714E173AA221F53DF6C152636D77DEA49E256A9788F2D3F2C2D7315DD0B4D72ECEFC553082F9149B8580779ABB39891A88907F16EC9E13CBE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..d...d...d.......d.......d...d..Cd..K*...d.......d.......d.......d.......d.......d.......d.......d..Rich.d..........................PE..L...A._M.........."!.................<.............x.................................{....@.................................<...<.... ...............V..P....0..D;..p................................/..@...............p............................text...u........................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-H6N3S.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1295872
Entropy (8bit):	6.469213828080914
Encrypted:	false
SSDEEP:	24576:DCYW9S/7mMcs50Mf+Av1gQp3Y6ZBGB6riFv9Kk2HPmOh:DCw/8s0IaQp3Y6ZBj+Kf
MD5:	DAE4100039A943128C34BA3E05F6CD02
SHA1:	22B25C997C8204CA104CB72D98BC7FE57EA02B48
SHA-256:	2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA
SHA-512:	5155B812AFECDDFCC904AD403D04DD060D284A2E9A9A0B26CCC96FB593801176BE2BA69FFD2FA2A6F246A84F6DC824F042ADACA7E8C1D3D57AAE3FC62C2C24E1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tN6.0/X.0/X.0/X.a..1/X._Y..9/X.9W..4/X._Y..5/X.0/Y.U/X._Y..s/X._Y..L/X._Y..1/X._Y..1/X._Y..1/X.Rich0/X.........PE..L....VuQ...........!.....4..........^........P.....J.........................0............@..........................r.......i..d.......X........................[......................................@............P...............................text....2.......4.................. ..`.rdata..i....P.......8..............@..@.data....;...p.......J..............@....rsrc...X............Z..............@..@.reloc..4d.......f...`..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-IL7S9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	6.044429679961545
Encrypted:	false
SSDEEP:	768:Ydp3loIiS+gbIdX9h9btywVT+0sdfLKc/IQiInhtTaQotOnKOdHGd3:YH3llRbIdth9JjTvsFec/IYhtuztOnpW
MD5:	EAE56B896A718C3BC87A4253832A5650
SHA1:	4987D30E08490B3C5F356F47C33061E2F7E608C9
SHA-256:	EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1
SHA-512:	044335B7899189C9685C9FE1C7985EE2A985A77B1C2B59FB81884BFE353DD80973C3918A107D67550C4FA686E1838D15206519015FA58A9EB054BAFA10720551
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+.w.x.w.x.w.x@9Ox.w.x..Ix.w.x..}x.w.x..Kx.w.x..Dx.w.x.w.x.w.x..\|x.w.x..Lx.w.x..Jx.w.xRich.w.x........................PE..L......Q...........!.........2......................................................o....@.....................................x...............................\...................................p...@...............,............................text...6........................... ..`.rdata..H ......."..................@..@.data...............................@....rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-LNT1D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901569696995594
Encrypted:	false
SSDEEP:	12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
MD5:	BF38660A9125935658CFA3E53FDC7D65
SHA1:	0B51FB415EC89848F339F8989D323BEA722BFD70
SHA-256:	60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
SHA-512:	25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-ORIAL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.996483336647155
Encrypted:	false
SSDEEP:	384:lLKSmUAPRD6PA/GKge44+4yif7DOnFPV5kzaOCSSZ:IVH/D4z4yG7DOnFdKaO6Z
MD5:	C5735F75847667E33A6B2D5E50D19C6F
SHA1:	D2C5952138FA5A246EC5900C9E680E7AEAF099AF
SHA-256:	32B0ACDF551507B4A8B9BD0467BEFDC2539C776E3F48221F0B577499F6EAE616
SHA-512:	DA961258A682C732F0A480EE7220D74B4511FA5313FB3BF0ACAF07AA42FA7410F3EE1A83C221C995854C2919286676F346A45CD278E1D1929E0164155F6D98F5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................^....v.U......S......g......Q..............f......V......W......P....Rich...........................PE..L......Q...........!..... ...$.......(.......0.....f.................................$....@..........................?......L6..P....`..,....................p......................................x1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........P.......<..............@....rsrc...,....`.......>..............@..@.reloc.......p.......D..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-P53L8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1767424
Entropy (8bit):	6.502501235310596
Encrypted:	false
SSDEEP:	24576:7GWPHUAzlcNk0BjXxOKWf8e4VY/+AnattjtpKFJ/t:FPHUGOkIxOKW5OXlKHV
MD5:	A7F201C0B9AC05E950ECC55D4403EC16
SHA1:	20B5B9AEFD27B11BD129AF6BF362D11DFFAFA5E5
SHA-256:	173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA
SHA-512:	0D3B3A3F2D5C39B7309943591E51587C1DB4BFC70EA5B0FD4A9016AACF0CA9DFA69040E6D74E1B9424FD8E41B3B3E22AB5D7C5352AF6C216E491EDEC78C612D7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J:...[...[...[...#...[.......[..a-...[..a-...[...[..!X..a-6..[..a-7..[..a-...[..a-...[..a-...[..Rich.[..................PE..L....VuQ...........!.....4..........6L.......P.....J.........................P............@.............................#...$'..d.... ..X....................0..<....................................4..@............P...............................text....2.......4.................. ..`.rdata...s...P...t...8..............@..@.data....K.......*..................@....rsrc...X.... ......................@..@.reloc..B....0......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-QLH2J.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	728576
Entropy (8bit):	6.569671392209985
Encrypted:	false
SSDEEP:	12288:HgCO4mFq3kAVoYQVggbGAoTbmnuNfMxJWVtrKnffO9Py0n4wj:AcmFq37JQOTbZpaffOFy0n4G
MD5:	A73EE126B2E6D43182D4C3482899D338
SHA1:	998F61112F911B050F7E07021F58AAB4F64C5D36
SHA-256:	06BBE605D7B0EF044871633B496948A8D65C78661E457D0844DC434A0609F763
SHA-512:	2E3A83421154C4B3499FCC7E66F5FA7BF95FB157002CA7EC0DB2041AE9C9A3483C7787D9E07E48C28D28B216B577B5D0972ED03F54FBA34F6E908F74137837B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z.............}........z.......z.......z...............!o...............i....z.......z.......z......Rich............PE..L......Q...........!.....:...................P...............................`............@..........................n..E....Y..x................................r......................................@............P..0............................text....9.......:.................. ..`.rdata..E0...P...2...>..............@..@.data...l............p..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libEGL.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	6.044429679961545
Encrypted:	false
SSDEEP:	768:Ydp3loIiS+gbIdX9h9btywVT+0sdfLKc/IQiInhtTaQotOnKOdHGd3:YH3llRbIdth9JjTvsFec/IYhtuztOnpW
MD5:	EAE56B896A718C3BC87A4253832A5650
SHA1:	4987D30E08490B3C5F356F47C33061E2F7E608C9
SHA-256:	EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1
SHA-512:	044335B7899189C9685C9FE1C7985EE2A985A77B1C2B59FB81884BFE353DD80973C3918A107D67550C4FA686E1838D15206519015FA58A9EB054BAFA10720551
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+.w.x.w.x.w.x@9Ox.w.x..Ix.w.x..}x.w.x..Kx.w.x..Dx.w.x.w.x.w.x..\|x.w.x..Lx.w.x..Jx.w.xRich.w.x........................PE..L......Q...........!.........2......................................................o....@.....................................x...............................\...................................p...@...............,............................text...6........................... ..`.rdata..H ......."..................@..@.data...............................@....rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libGLESv2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	728576
Entropy (8bit):	6.569671392209985
Encrypted:	false
SSDEEP:	12288:HgCO4mFq3kAVoYQVggbGAoTbmnuNfMxJWVtrKnffO9Py0n4wj:AcmFq37JQOTbZpaffOFy0n4G
MD5:	A73EE126B2E6D43182D4C3482899D338
SHA1:	998F61112F911B050F7E07021F58AAB4F64C5D36
SHA-256:	06BBE605D7B0EF044871633B496948A8D65C78661E457D0844DC434A0609F763
SHA-512:	2E3A83421154C4B3499FCC7E66F5FA7BF95FB157002CA7EC0DB2041AE9C9A3483C7787D9E07E48C28D28B216B577B5D0972ED03F54FBA34F6E908F74137837B9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z.............}........z.......z.......z...............!o...............i....z.......z.......z......Rich............PE..L......Q...........!.....:...................P...............................`............@..........................n..E....Y..x................................r......................................@............P..0............................text....9.......:.................. ..`.rdata..E0...P...2...>..............@..@.data...l............p..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcp100.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	421200
Entropy (8bit):	6.595802017835318
Encrypted:	false
SSDEEP:	12288:zNb8zxr1aWPaHX7dGP57rhUgiW6QR7t5qv3Ooc8UHkC2ejGH:zNb8Fpa6aHX7dGP5Kv3Ooc8UHkC2eKH
MD5:	E3C817F7FE44CC870ECDBCBC3EA36132
SHA1:	2ADA702A0C143A7AE39B7DE16A4B5CC994D2548B
SHA-256:	D769FAFA2B3232DE9FA7153212BA287F68E745257F1C00FAFB511E7A02DE7ADF
SHA-512:	4FCF3FCDD27C97A714E173AA221F53DF6C152636D77DEA49E256A9788F2D3F2C2D7315DD0B4D72ECEFC553082F9149B8580779ABB39891A88907F16EC9E13CBE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..d...d...d.......d.......d...d..Cd..K*...d.......d.......d.......d.......d.......d.......d.......d..Rich.d..........................PE..L...A._M.........."!.................<.............x.................................{....@.................................<...<.... ...............V..P....0..D;..p................................/..@...............p............................text...u........................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcr100.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901569696995594
Encrypted:	false
SSDEEP:	12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
MD5:	BF38660A9125935658CFA3E53FDC7D65
SHA1:	0B51FB415EC89848F339F8989D323BEA722BFD70
SHA-256:	60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
SHA-512:	25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	5345280
Entropy (8bit):	6.63948529168088
Encrypted:	false
SSDEEP:	98304:lR+3fIUMIN/0pG6dDIBCZP/qr3zRgTiSZlWWqp9ebFP+m:b9Rc6dkgZPY2zZH896FP+m
MD5:	84FDC770D4A9ECD786E59A0C9F7F9C26
SHA1:	8B8FFADE1B9E72AFC8FB6F8B456EEEC92B051F5C
SHA-256:	64458D205E25C3D036172AE30C7C2D214ECF0EAE5BFE18BD99E7011E94748B8E
SHA-512:	1779C4FCB4B96A9FE9277E86F51181055D0903296BEBA5DD99523F9F06F3191807983648139198A82D894370F85684346E6E53AC68AB7DE5C5CAE78EB861C0E0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L......g..................#..:.......?#.......#...@...........................Q.....$eR.....................................t.#.T....`$.h.-...........................................................................#..............................text.....#.......#.................`....rdata...D....#..F....#.............@..@.data...xc....#..0....#.............@....rsrc.....-..`$...-...$.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\sqlite3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\is-B53T5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	722597
Entropy (8bit):	6.522036773433455
Encrypted:	false
SSDEEP:	12288:jQmCh1/aLmSKrPD37zzH2A6QGgx/bsQYq9KgERkVfzrrNVyblW4cNaf/yxyRh:jQrh1yLmSKrPD37zzH2A6QD/IpqggE2G
MD5:	453F22B226981E07FF789EB5468BD5DF
SHA1:	AF110D44F8F592D51D4ADA6870B8AD405DC86FFE
SHA-256:	4F16558E1AD75ABCE509BAC26BDF01938A714282932642875443478F00F81691
SHA-512:	B807DE56247A4CBFA5FB70F1B526AB42BB2B4DC1F872854EE4BECE5D20B3EF2BE50706AAEE0A70C5BA13C5999349BDE55F8FD3EB78699F59F57538A9AD4FB77B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&........................................................... ......................................................CODE....$........................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls.....................................rdata....... ......................@..P.reloc......0......................@..P.rsrc...............................@..P.....................f..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	InnoSetup Log Photo Recovery Library, version 0x30, 5102 bytes, 061544\user, "C:\Users\user\AppData\Local\Photo Recovery Library 5.7"
Category:	dropped
Size (bytes):	5102
Entropy (8bit):	4.801985812868376
Encrypted:	false
SSDEEP:	96:GTxpdWg488ZpS64ugi99+eOIhna7ICSss/LnXLArR:KdWg48WpSFuEHIhAICSsAnX2
MD5:	C5C69221542A29561042014193F60221
SHA1:	AB1BC091952C4D90A443CE10BA01D21819D93D5F
SHA-256:	8B4A1068B830B56B45B6E35D57CE35A21FC7B94066CB348F258F594A2F7B7BE1
SHA-512:	4DBF7714A65B7D0FEC5E6472380ABD67AFB0142BD5247B768242174CAA14B2B218F156AEDDB58F6C153C49F364963394667DC7BB49C47C847A726BE95C108286
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................Photo Recovery Library..........................................................................................................Photo Recovery Library..........................................................................................................0...........%...............................................................................................................@............Dx.......]....061544.user:C:\Users\user\AppData\Local\Photo Recovery Library 5.7...............r.. .....#......IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	722597
Entropy (8bit):	6.522036773433455
Encrypted:	false
SSDEEP:	12288:jQmCh1/aLmSKrPD37zzH2A6QGgx/bsQYq9KgERkVfzrrNVyblW4cNaf/yxyRh:jQrh1yLmSKrPD37zzH2A6QD/IpqggE2G
MD5:	453F22B226981E07FF789EB5468BD5DF
SHA1:	AF110D44F8F592D51D4ADA6870B8AD405DC86FFE
SHA-256:	4F16558E1AD75ABCE509BAC26BDF01938A714282932642875443478F00F81691
SHA-512:	B807DE56247A4CBFA5FB70F1B526AB42BB2B4DC1F872854EE4BECE5D20B3EF2BE50706AAEE0A70C5BA13C5999349BDE55F8FD3EB78699F59F57538A9AD4FB77B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&........................................................... ......................................................CODE....$........................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls.....................................rdata....... ......................@..P.reloc......0......................@..P.rsrc...............................@..P.....................f..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	711168
Entropy (8bit):	6.513790352899907
Encrypted:	false
SSDEEP:	12288:bQmCh1/aLmSKrPD37zzH2A6QGgx/bsQYq9KgERkVfzrrNVyblW4cNaf/yxyR:bQrh1yLmSKrPD37zzH2A6QD/IpqggE2K
MD5:	01EB6207431C47E642C878967668AC73
SHA1:	DCDB644E06025C66EF3D2BDD2AD6CF004843AB37
SHA-256:	86F0E28F496BAFDA24BECF3501B63082EDD13F740B425291AFC1328BC54090D5
SHA-512:	491CBFB2245C0630F0DAD32D83C847A9918ACDA1366C345B20356B39FB6493DFB756E54F626068F94279D1568D4FF0ECFC48DDFC4600661AE338D0DF53894DCE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&........................................................... ......................................................CODE....$........................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls.....................................rdata....... ......................@..P.reloc......0......................@..P.rsrc...............................@..P.....................f..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-PD4F0.tmp\_isetup\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-PD4F0.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-PD4F0.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4926
Entropy (8bit):	3.244905481518545
Encrypted:	false
SSDEEP:	48:FaqdF7w8sd+AAHdKoqKFxcxkF28suaqdF7r+AAHdKoqKFxcxkF7:cEe+AAsoJjyk0Er+AAsoJjykR
MD5:	FE5DA5AAE6C9629757B414210427D5D2
SHA1:	9C83C091FDE4765840539303B0085F0FD65DE865
SHA-256:	DC558A854056F0C58D05D733882A56E739991AEA0F2A4C247953964BE62BAE1A
SHA-512:	A3DFF78E6D896C70B9DFE6FE6AE619925B06AF3305ED71615997A0639FDE3FF1FA300B1E1D055B1EEC5E64FA80F4D00C766B4E9B2A942DFF93DB0DDD38473627
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. O.c.t. .. 0.5. .. 2.0.2.3. .0.8.:.3.6.:.3.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.998686424491839
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	file.exe
File size:	4'588'286 bytes
MD5:	e4265c65f6f798bdc3f1644caaa09379
SHA1:	5c72cd53fb3091b5cdb44021a05abd4cb116ef32
SHA256:	a5847cf2d171622e07ec1cb81015033c57f60e7bf3e3f808a5dbdcb44ffe4498
SHA512:	841b703feef6034ad8be9707883b580a08764caa74d94c6fc4d31ac3a0fb88477c792f742373ce597ecef7caa0457322e0041de3de32c2d24c6dff0029b7f99d
SSDEEP:	98304:3UzFjCwQYfBmiaINgQyLJPL844UjUj/GkhFCgy77:kRjFlYiknLJD8NFjzhBy77
TLSH:	3026331907A3063AC182BC797928A405B9EB816F6C1C9F90E6CD7F2F87D716116F9F24
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x40a5f8
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	884310b1928934402ea6fec1dbd3cf5e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007F0848AD64A3h
call 00007F0848AD76AAh
call 00007F0848AD7939h
call 00007F0848AD79DCh
call 00007F0848AD997Bh
call 00007F0848ADC2E6h
call 00007F0848ADC44Dh
xor eax, eax
push ebp
push 0040ACC9h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040AC92h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040C014h]
call 00007F0848ADCEFBh
call 00007F0848ADCAE6h
cmp byte ptr [0040B234h], 00000000h
je 00007F0848ADD9DEh
call 00007F0848ADCFF8h
xor eax, eax
call 00007F0848AD7199h
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007F0848AD9F8Bh
mov edx, dword ptr [ebp-10h]
mov eax, 0040CE2Ch
call 00007F0848AD653Ah
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040CE2Ch]
mov dl, 01h
mov eax, 0040738Ch
call 00007F0848ADA81Ah
mov dword ptr [0040CE30h], eax
xor edx, edx
push ebp
push 0040AC4Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F0848ADCF56h
mov dword ptr [0040CE38h], eax
mov eax, dword ptr [0040CE38h]
cmp dword ptr [eax+0Ch], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd000	0x950	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x9d30	0x9e00	611a4d7a24dd9b18a256468a5d7453f5	False	0.6052956882911392	data	6.631747641055028	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xb000	0x250	0x400	2f7f9f859c8b4b133abf78cebd99cc90	False	0.306640625	data	2.7547169534996403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xc000	0xe90	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd000	0x950	0xa00	bb5485bf968b970e5ea81292af2acdba	False	0.414453125	data	4.430733069799036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xe000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf000	0x18	0x200	9ba824905bf9c7922b6fc87a38b74366	False	0.052734375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x8c4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x2c00	0x2c00	ad3e8f5c45399a7f4b1273e0226a3730	False	0.3321200284090909	data	4.577480348752889	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x11354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1147c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x119e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x11ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x12574	0x2f2	data			0.35543766578249336
RT_STRING	0x12868	0x30c	data			0.3871794871794872
RT_STRING	0x12b74	0x2ce	data			0.42618384401114207
RT_STRING	0x12e44	0x68	data			0.75
RT_STRING	0x12eac	0xb4	data			0.6277777777777778
RT_STRING	0x12f60	0xae	data			0.5344827586206896
RT_RCDATA	0x13010	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x1303c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x1307c	0x4f4	data	English	United States	0.26498422712933756
RT_MANIFEST	0x13570	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Version Infos

Description	Data
Comments	This installation was built with Inno Setup.
CompanyName
FileDescription	Photo Recovery Library Setup
FileVersion
LegalCopyright
ProductName	Photo Recovery Library
ProductVersion
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T17:26:22.365974+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49689	176.113.115.96	443	TCP
2025-03-07T17:26:34.335512+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49692	176.113.115.96	443	TCP
2025-03-07T17:26:46.238016+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49695	176.113.115.96	443	TCP
2025-03-07T17:26:56.581883+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49698	95.215.206.151	443	TCP
2025-03-07T17:26:57.530352+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49698	95.215.206.151	443	TCP
2025-03-07T17:27:02.102183+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49700	95.215.206.151	443	TCP
2025-03-07T17:27:02.755883+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49700	95.215.206.151	443	TCP
2025-03-07T17:27:05.952912+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49701	95.215.206.151	443	TCP
2025-03-07T17:27:06.640602+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49701	95.215.206.151	443	TCP
2025-03-07T17:27:08.719704+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49702	95.215.206.151	443	TCP
2025-03-07T17:27:09.390750+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49702	95.215.206.151	443	TCP
2025-03-07T17:27:11.675115+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49703	95.215.206.151	443	TCP
2025-03-07T17:27:12.357312+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49703	95.215.206.151	443	TCP
2025-03-07T17:27:14.460123+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49704	95.215.206.151	443	TCP
2025-03-07T17:27:15.136438+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49704	95.215.206.151	443	TCP
2025-03-07T17:27:17.142521+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49705	95.215.206.151	443	TCP
2025-03-07T17:27:17.798580+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49705	95.215.206.151	443	TCP
2025-03-07T17:27:19.883795+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49706	95.215.206.151	443	TCP
2025-03-07T17:27:20.576440+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49706	95.215.206.151	443	TCP
2025-03-07T17:27:22.590522+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49707	95.215.206.151	443	TCP
2025-03-07T17:27:23.258517+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49707	95.215.206.151	443	TCP
2025-03-07T17:27:25.227720+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49708	95.215.206.151	443	TCP
2025-03-07T17:27:25.894338+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49708	95.215.206.151	443	TCP
2025-03-07T17:27:28.124045+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49709	95.215.206.151	443	TCP
2025-03-07T17:27:29.030281+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49709	95.215.206.151	443	TCP
2025-03-07T17:27:31.590399+0100	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49710	95.215.206.151	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 17:26:18.854604959 CET	49689	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:18.854648113 CET	443	49689	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:18.854868889 CET	49689	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:18.864052057 CET	49689	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:18.864063025 CET	443	49689	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:22.365878105 CET	443	49689	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:22.365973949 CET	49689	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:22.369380951 CET	49689	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:22.369492054 CET	443	49689	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:22.369570971 CET	49689	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:22.370973110 CET	49690	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:22.371009111 CET	443	49690	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:22.371094942 CET	49690	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:22.371469021 CET	49690	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:22.371484041 CET	443	49690	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:25.875420094 CET	443	49690	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:25.875488043 CET	49690	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:25.875978947 CET	49690	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:25.876216888 CET	443	49690	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:25.876365900 CET	49690	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:25.876450062 CET	49691	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:25.876507998 CET	443	49691	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:25.876571894 CET	49691	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:25.876657009 CET	49691	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:25.876712084 CET	443	49691	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:25.876811981 CET	49691	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:30.896244049 CET	49692	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:30.896295071 CET	443	49692	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:30.896444082 CET	49692	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:30.897242069 CET	49692	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:30.897258043 CET	443	49692	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:34.335426092 CET	443	49692	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:34.335511923 CET	49692	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:34.336461067 CET	49692	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:34.336709976 CET	443	49692	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:34.336807966 CET	49692	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:34.337877989 CET	49693	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:34.337918997 CET	443	49693	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:34.338068008 CET	49693	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:34.338409901 CET	49693	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:34.338428020 CET	443	49693	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:37.856199980 CET	443	49693	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:37.856334925 CET	49693	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:37.856710911 CET	49693	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:37.856889963 CET	443	49693	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:37.856960058 CET	49693	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:37.857346058 CET	49694	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:37.857379913 CET	443	49694	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:37.857795954 CET	49694	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:37.857858896 CET	49694	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:37.857918978 CET	443	49694	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:37.858021975 CET	49694	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:42.865503073 CET	49695	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:42.865571976 CET	443	49695	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:42.865698099 CET	49695	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:42.866101027 CET	49695	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:42.866125107 CET	443	49695	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:46.237916946 CET	443	49695	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:46.238015890 CET	49695	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:46.238362074 CET	49695	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:46.238603115 CET	443	49695	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:46.238668919 CET	49695	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:46.238815069 CET	49696	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:46.238852024 CET	443	49696	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:46.238997936 CET	49696	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:46.239295006 CET	49696	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:46.239308119 CET	443	49696	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:49.698246002 CET	443	49696	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:49.698405981 CET	49696	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:49.698786974 CET	49696	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:49.698916912 CET	443	49696	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:49.698982000 CET	49696	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:49.699908972 CET	49697	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:49.699943066 CET	443	49697	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:49.700027943 CET	49697	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:49.700177908 CET	49697	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:49.700223923 CET	443	49697	176.113.115.96	192.168.2.6
Mar 7, 2025 17:26:49.700277090 CET	49697	443	192.168.2.6	176.113.115.96
Mar 7, 2025 17:26:54.718898058 CET	49698	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:26:54.718955994 CET	443	49698	95.215.206.151	192.168.2.6
Mar 7, 2025 17:26:54.719036102 CET	49698	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:26:54.720123053 CET	49698	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:26:54.720139027 CET	443	49698	95.215.206.151	192.168.2.6
Mar 7, 2025 17:26:56.581722975 CET	443	49698	95.215.206.151	192.168.2.6
Mar 7, 2025 17:26:56.581882954 CET	49698	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:26:56.642544985 CET	49698	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:26:56.642577887 CET	443	49698	95.215.206.151	192.168.2.6
Mar 7, 2025 17:26:56.642926931 CET	443	49698	95.215.206.151	192.168.2.6
Mar 7, 2025 17:26:56.642980099 CET	49698	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:26:56.646771908 CET	49698	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:26:56.688332081 CET	443	49698	95.215.206.151	192.168.2.6
Mar 7, 2025 17:26:57.530340910 CET	443	49698	95.215.206.151	192.168.2.6
Mar 7, 2025 17:26:57.530421019 CET	443	49698	95.215.206.151	192.168.2.6
Mar 7, 2025 17:26:57.530567884 CET	49698	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:26:57.535180092 CET	49698	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:26:57.535200119 CET	443	49698	95.215.206.151	192.168.2.6
Mar 7, 2025 17:26:57.536212921 CET	49699	2024	192.168.2.6	193.176.153.180
Mar 7, 2025 17:26:57.541395903 CET	2024	49699	193.176.153.180	192.168.2.6
Mar 7, 2025 17:26:57.541496992 CET	49699	2024	192.168.2.6	193.176.153.180
Mar 7, 2025 17:26:57.541548014 CET	49699	2024	192.168.2.6	193.176.153.180
Mar 7, 2025 17:26:57.546608925 CET	2024	49699	193.176.153.180	192.168.2.6
Mar 7, 2025 17:26:57.546725035 CET	49699	2024	192.168.2.6	193.176.153.180
Mar 7, 2025 17:26:57.551733971 CET	2024	49699	193.176.153.180	192.168.2.6
Mar 7, 2025 17:26:58.195095062 CET	2024	49699	193.176.153.180	192.168.2.6
Mar 7, 2025 17:26:58.236620903 CET	49699	2024	192.168.2.6	193.176.153.180
Mar 7, 2025 17:27:00.223627090 CET	49700	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:00.223675013 CET	443	49700	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:00.223743916 CET	49700	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:00.224148035 CET	49700	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:00.224159956 CET	443	49700	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:02.102070093 CET	443	49700	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:02.102183104 CET	49700	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:02.102672100 CET	49700	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:02.102679968 CET	443	49700	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:02.102828979 CET	49700	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:02.102833033 CET	443	49700	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:02.755917072 CET	443	49700	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:02.756007910 CET	443	49700	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:02.756037951 CET	49700	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:02.756066084 CET	49700	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:02.756297112 CET	49700	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:02.756330967 CET	443	49700	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:03.977483034 CET	49701	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:03.977539062 CET	443	49701	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:03.977648020 CET	49701	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:03.981420994 CET	49701	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:03.981431961 CET	443	49701	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:05.952610970 CET	443	49701	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:05.952912092 CET	49701	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:05.953594923 CET	49701	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:05.953607082 CET	443	49701	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:05.953788042 CET	49701	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:05.953794003 CET	443	49701	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:06.640636921 CET	443	49701	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:06.640721083 CET	443	49701	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:06.640886068 CET	49701	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:06.641478062 CET	49701	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:06.641498089 CET	443	49701	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:06.756206036 CET	49702	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:06.756264925 CET	443	49702	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:06.756444931 CET	49702	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:06.756828070 CET	49702	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:06.756839037 CET	443	49702	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:08.719628096 CET	443	49702	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:08.719703913 CET	49702	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:08.727976084 CET	49702	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:08.727999926 CET	443	49702	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:08.745860100 CET	49702	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:08.745887995 CET	443	49702	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:09.390732050 CET	443	49702	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:09.390815020 CET	443	49702	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:09.391136885 CET	49702	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:09.391671896 CET	49702	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:09.391705036 CET	443	49702	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:09.508061886 CET	49703	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:09.508104086 CET	443	49703	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:09.508208990 CET	49703	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:09.508568048 CET	49703	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:09.508584023 CET	443	49703	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:11.675048113 CET	443	49703	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:11.675115108 CET	49703	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:11.675667048 CET	49703	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:11.675673962 CET	443	49703	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:11.675843954 CET	49703	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:11.675848961 CET	443	49703	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:12.357357025 CET	443	49703	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:12.357566118 CET	49703	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:12.357597113 CET	443	49703	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:12.357780933 CET	49703	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:12.357945919 CET	49703	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:12.358040094 CET	443	49703	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:12.358124971 CET	49703	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:12.474977970 CET	49704	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:12.475081921 CET	443	49704	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:12.475161076 CET	49704	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:12.475625038 CET	49704	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:12.475660086 CET	443	49704	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:14.459902048 CET	443	49704	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:14.460123062 CET	49704	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:14.461720943 CET	49704	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:14.461755037 CET	443	49704	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:14.462135077 CET	443	49704	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:14.462197065 CET	49704	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:14.462513924 CET	49704	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:14.508323908 CET	443	49704	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:15.136456013 CET	443	49704	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:15.136549950 CET	443	49704	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:15.136554003 CET	49704	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:15.136593103 CET	49704	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:15.136742115 CET	49704	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:15.136760950 CET	443	49704	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:15.255146980 CET	49705	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:15.255203962 CET	443	49705	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:15.255359888 CET	49705	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:15.255719900 CET	49705	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:15.255743027 CET	443	49705	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:17.142252922 CET	443	49705	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:17.142520905 CET	49705	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:17.143290043 CET	49705	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:17.143306971 CET	443	49705	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:17.143510103 CET	49705	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:17.143517971 CET	443	49705	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:17.798616886 CET	443	49705	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:17.798710108 CET	443	49705	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:17.798715115 CET	49705	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:17.803293943 CET	49705	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:17.826972961 CET	49705	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:17.827013016 CET	443	49705	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:17.948484898 CET	49706	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:17.948545933 CET	443	49706	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:17.948616028 CET	49706	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:17.949039936 CET	49706	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:17.949052095 CET	443	49706	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:19.883692980 CET	443	49706	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:19.883795023 CET	49706	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:19.884382963 CET	49706	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:19.884397030 CET	443	49706	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:19.884607077 CET	49706	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:19.884614944 CET	443	49706	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:20.576488018 CET	443	49706	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:20.576565981 CET	443	49706	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:20.576584101 CET	49706	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:20.576608896 CET	49706	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:20.576967001 CET	49706	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:20.576987982 CET	443	49706	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:20.697235107 CET	49707	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:20.697285891 CET	443	49707	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:20.697694063 CET	49707	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:20.697694063 CET	49707	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:20.697726011 CET	443	49707	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:22.590413094 CET	443	49707	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:22.590522051 CET	49707	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:22.631643057 CET	49707	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:22.631671906 CET	443	49707	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:22.638279915 CET	49707	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:22.638293982 CET	443	49707	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:23.258503914 CET	443	49707	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:23.258579969 CET	443	49707	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:23.258586884 CET	49707	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:23.258620977 CET	49707	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:23.258805990 CET	49707	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:23.258824110 CET	443	49707	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:23.381999016 CET	49708	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:23.382103920 CET	443	49708	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:23.382256031 CET	49708	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:23.382579088 CET	49708	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:23.382616997 CET	443	49708	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:25.227627039 CET	443	49708	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:25.227720022 CET	49708	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:25.228178024 CET	49708	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:25.228193998 CET	443	49708	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:25.230021000 CET	49708	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:25.230038881 CET	443	49708	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:25.894300938 CET	443	49708	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:25.894386053 CET	443	49708	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:25.894383907 CET	49708	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:25.894769907 CET	49708	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:25.894808054 CET	49708	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:25.894825935 CET	443	49708	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:26.022644997 CET	49709	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:26.022742987 CET	443	49709	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:26.024048090 CET	49709	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:26.024332047 CET	49709	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:26.024367094 CET	443	49709	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:28.123961926 CET	443	49709	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:28.124044895 CET	49709	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:28.124558926 CET	49709	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:28.124567986 CET	443	49709	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:28.126694918 CET	49709	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:28.126701117 CET	443	49709	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:29.030219078 CET	443	49709	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:29.030309916 CET	49709	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:29.030381918 CET	443	49709	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:29.030438900 CET	49709	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:29.030761957 CET	49709	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:29.030822992 CET	443	49709	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:29.030885935 CET	49709	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:29.152254105 CET	49710	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:29.152327061 CET	443	49710	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:29.152503967 CET	49710	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:29.152894974 CET	49710	443	192.168.2.6	95.215.206.151
Mar 7, 2025 17:27:29.152904987 CET	443	49710	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:31.590312958 CET	443	49710	95.215.206.151	192.168.2.6
Mar 7, 2025 17:27:31.590399027 CET	49710	443	192.168.2.6	95.215.206.151

HTTP Request Dependency Graph

95.215.206.151

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49698	95.215.206.151	443	7116	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 16:26:56 UTC	295	OUT	GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38a926d19fe6595cd66946851e91fcd85241ab258d81329326be8e343a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd7d4905a40cf HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 95.215.206.151
2025-03-07 16:26:57 UTC	200	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 07 Mar 2025 16:26:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2025-03-07 16:26:57 UTC	700	IN	Data Raw: 32 62 30 0d 0a 38 62 37 32 33 63 36 38 65 65 31 38 34 30 33 63 36 36 30 66 62 66 65 30 33 38 34 65 32 66 61 62 61 30 38 66 38 33 33 61 35 33 62 39 33 39 64 63 38 63 32 35 39 31 36 38 35 31 65 61 30 35 63 31 64 30 34 62 34 66 61 64 34 31 39 31 34 62 33 32 36 65 33 64 62 34 61 65 31 31 61 63 63 33 31 38 39 66 39 35 62 31 63 66 33 66 36 62 64 33 66 35 35 62 64 62 39 34 66 61 34 66 63 39 64 33 39 65 35 30 61 36 62 33 66 34 63 31 30 38 30 38 63 36 64 32 30 37 30 30 64 66 33 30 32 36 30 37 64 31 33 31 38 65 63 61 64 33 39 36 35 38 34 32 63 38 37 30 33 34 66 39 64 36 30 37 35 32 36 37 30 65 37 34 63 65 65 64 31 30 37 37 61 37 66 32 35 39 61 39 65 34 65 61 35 32 61 61 37 34 63 64 63 63 32 35 65 62 66 31 63 34 65 62 35 34 31 35 38 63 34 36 39 62 33 37 61 35 33 31 Data Ascii: 2b08b723c68ee18403c660fbfe0384e2faba08f833a53b939dc8c25916851ea05c1d04b4fad41914b326e3db4ae11acc3189f95b1cf3f6bd3f55bdb94fa4fc9d39e50a6b3f4c10808c6d20700df302607d1318ecad3965842c87034f9d60752670e74ceed1077a7f259a9e4ea52aa74cdcc25ebf1c4eb54158c469b37a531

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49700	95.215.206.151	443	7116	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 16:27:02 UTC	303	OUT	GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38b926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 95.215.206.151
2025-03-07 16:27:02 UTC	200	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 07 Mar 2025 16:27:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2025-03-07 16:27:02 UTC	127	IN	Data Raw: 37 34 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 30 33 33 37 37 37 34 38 62 61 65 34 36 64 34 32 32 37 61 66 62 38 39 30 38 35 33 64 34 65 61 36 33 64 64 65 39 37 33 61 39 30 36 61 34 63 62 32 34 35 39 62 38 61 32 35 30 39 66 34 31 61 64 35 31 35 32 31 36 66 32 65 65 34 65 30 35 63 66 30 62 32 34 33 64 62 39 66 61 65 63 64 33 35 36 62 64 33 66 64 35 30 66 35 0d 0a 30 0d 0a 0d 0a Data Ascii: 748b723663ec1303377748bae46d4227afb890853d4ea63dde973a906a4cb2459b8a2509f41ad515216f2ee4e05cf0b243db9faecd356bd3fd50f50

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49701	95.215.206.151	443	7116	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 16:27:05 UTC	303	OUT	GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb388926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 95.215.206.151
2025-03-07 16:27:06 UTC	200	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 07 Mar 2025 16:27:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2025-03-07 16:27:06 UTC	24	IN	Data Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a Data Ascii: e8b723663ec13250

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49702	95.215.206.151	443	7116	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 16:27:08 UTC	303	OUT	GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb389926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 95.215.206.151
2025-03-07 16:27:09 UTC	200	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 07 Mar 2025 16:27:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2025-03-07 16:27:09 UTC	24	IN	Data Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a Data Ascii: e8b723663ec13250

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49703	95.215.206.151	443	7116	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 16:27:11 UTC	303	OUT	GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb386926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 95.215.206.151
2025-03-07 16:27:12 UTC	200	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 07 Mar 2025 16:27:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2025-03-07 16:27:12 UTC	24	IN	Data Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a Data Ascii: e8b723663ec13250

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49704	95.215.206.151	443	7116	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 16:27:14 UTC	303	OUT	GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb387926d19fe6595cd66946951e91fcd85210ceb1cd005672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf7433f1db HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 95.215.206.151
2025-03-07 16:27:15 UTC	200	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 07 Mar 2025 16:27:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2025-03-07 16:27:15 UTC	24	IN	Data Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a Data Ascii: e8b723663ec13250

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49705	95.215.206.151	443	7116	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 16:27:17 UTC	305	OUT	GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f842a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 95.215.206.151
2025-03-07 16:27:17 UTC	200	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 07 Mar 2025 16:27:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2025-03-07 16:27:17 UTC	24	IN	Data Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a Data Ascii: e8b723663ec13250

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49706	95.215.206.151	443	7116	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 16:27:19 UTC	305	OUT	GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f852a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 95.215.206.151
2025-03-07 16:27:20 UTC	200	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 07 Mar 2025 16:27:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2025-03-07 16:27:20 UTC	24	IN	Data Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a Data Ascii: e8b723663ec13250

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49707	95.215.206.151	443	7116	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 16:27:22 UTC	305	OUT	GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f862a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 95.215.206.151
2025-03-07 16:27:23 UTC	200	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 07 Mar 2025 16:27:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2025-03-07 16:27:23 UTC	24	IN	Data Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a Data Ascii: e8b723663ec13250

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49708	95.215.206.151	443	7116	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 16:27:25 UTC	305	OUT	GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f872a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 95.215.206.151
2025-03-07 16:27:25 UTC	200	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 07 Mar 2025 16:27:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2025-03-07 16:27:25 UTC	24	IN	Data Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a Data Ascii: e8b723663ec13250

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49709	95.215.206.151	443	7116	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 16:27:28 UTC	305	OUT	GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f802a1cec7a86d87bdb6546ad12dac02909ea19d11629366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7630fed500 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Host: 95.215.206.151
2025-03-07 16:27:29 UTC	200	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 07 Mar 2025 16:27:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.33
2025-03-07 16:27:29 UTC	24	IN	Data Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a Data Ascii: e8b723663ec13250

Target ID:	0
Start time:	11:25:23
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	4'588'286 bytes
MD5 hash:	E4265C65F6F798BDC3F1644CAAA09379
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	11:25:24
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-DI440.tmp\file.tmp" /SL5="$403C0,4337550,56832,C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	711'168 bytes
MD5 hash:	01EB6207431C47E642C878967668AC73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	11:25:25
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe" -i
Imagebase:	0x400000
File size:	5'345'280 bytes
MD5 hash:	84FDC770D4A9ECD786E59A0C9F7F9C26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.2500792811.0000000002EA1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.2500659420.0000000002E04000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:25:26
Start date:	07/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff76b3d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:25:26
Start date:	07/03/2025
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff710c00000
File size:	329'504 bytes
MD5 hash:	3BA1A18A0DC30A0545E7765CB97D8E63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	11:25:26
Start date:	07/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Imagebase:	0x7ff76b3d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	11:25:26
Start date:	07/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Imagebase:	0x7ff76b3d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	11:25:26
Start date:	07/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Imagebase:	0x7ff76b3d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	11:26:27
Start date:	07/03/2025
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7c08f0000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:26:27
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\GV73it54.dat

C:\ProgramData\GV73rc54.dat

C:\ProgramData\GV73resa.dat

C:\ProgramData\PhotoRecoveryLib\PhotoRecoveryLib.exe

C:\ProgramData\PhotoRecoveryLib\sqlite3.dll

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5Concurrent.dll (copy)

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5PrintSupport.dll (copy)

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuin51.dll (copy)

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuuc51.dll (copy)

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-14T6T.tmp

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-7D60U.tmp

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-9996L.tmp

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-C1HVB.tmp

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-H6N3S.tmp

C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-IL7S9.tmp

Windows Analysis Report
file.exe